Automata and Logics for Concurrent Systems:
Realizability and Verification
Benedikt Bollig
To cite this version:
Benedikt Bollig. Automata and Logics for Concurrent Systems: Realizability and Verification.
Formal Languages and Automata Theory [cs.FL]. ENS Cachan, 2015. <tel-01242861>
HAL Id: tel-01242861
https://hal.archives-ouvertes.fr/tel-01242861
Submitted on 14 Dec 2015
HAL is a multi-disciplinary open access
archive for the deposit and dissemination of scientific research documents, whether they are published or not. The documents may come from
teaching and research institutions in France or
abroad, or from public or private research centers.
L’archive ouverte pluridisciplinaire HAL, est
destinée au dépôt et à la diffusion de documents
scientifiques de niveau recherche, publiés ou non,
émanant des établissements d’enseignement et de
recherche français ou étrangers, des laboratoires
publics ou privés.
Automata and Logics for Concurrent Systems:
Realizability and Verification
Habilitation Thesis
Mémoire d’Habilitation à Diriger des Recherches
submitted by
Benedikt Bollig
June 2015
Abstract. Automata are a popular tool to make computer systems accessible to
formal methods. While classical finite automata are suitable to model sequential boolean programs, models of concurrent systems involve several interacting
processes and extend finite-state machines in various respects. This habilitation
thesis surveys several such extensions, including pushdown automata with multiple
stacks, communicating automata with fixed, parameterized, or dynamic communication topology, and automata running on words over infinite alphabets. We focus
on two major questions of classical automata theory, namely realizability (asking
whether a specification has an automata counterpart) and model checking (asking
whether a given automaton satisfies its specification).
The defense took place on Tuesday, June 2, 2015, 2 p.m., at ENS Cachan, France.
The jury members are:
Prof.
Prof.
Prof.
Prof.
Prof.
Prof.
Ahmed Bouajjani
Volker Diekert
Paul Gastin
Leonid Libkin
Anca Muscholl
Jean-Marc Talbot
Author
Benedikt Bollig
Laboratoire Spécification et Vérification
CNRS & ENS Cachan
France
email: [email protected]
Reviewer
Examiner
Examiner
Reviewer
Reviewer
Examiner
Thank you, Merci, Danke!
Many people have helped me over the last years, and I would like to use the
opportunity to express my gratitude to all of them. The list of people I mention
here cannot be exhaustive, but I am aware that many more crossed and influenced
my road in one way or another.
My foremost thanks, and my sincerest appreciation, go to my mentor Paul Gastin.
I am extremely grateful for his continuous support, advice, and encouragement.
Since I defended my PhD, he has had, without any doubt, the most significant impact on my evolution as a researcher. When writing a definition or proof, the best
guideline for me has always been to first think about how Paul would write it. And
as if all that were not enough, he gave me the opportunity to work with such brilliant PhD students: I am so proud to count Aiswarya Cyriac, Benjamin Monmege,
and Akshay Sundararaman among my family, in an academic sense and in terms
of friendship. I would consider myself lucky if they have learned half as much from
me as I have learned from them.
I am flattered that Ahmed Bouajjani, Volker Diekert, Paul Gastin, Leonid Libkin,
Anca Muscholl, and Jean-Marc Talbot readily accepted to be a jury member or a
reviewer of my habilitation thesis. I can only hope that this document fulfils the
expectations that come with such a high-calibre committee.
I am very grateful to Benjamin Monmege for taking the trouble to read this thesis
and for his many accurate, subtle, and pertinent comments.
During my years at LSV, I have been so fortunate to share my office with adorable
and courteous people: Nicolas Markey, Graham Steel (together with a curious little
cat whose name I do not know), and Claudine Picaronny have created an enjoyable
and stimulating atmosphere every day.
I also spent a considerable amount of time in Christoph Haase’s office. I sincerely
thank Christoph for his support and encouragement, the various thought-provoking
discussions we had on emerging trends in computer science, and many excellent
(among some not so good) “Kalauers” 1 .
1
http://de.wikipedia.org/wiki/Kalauer
iii
I would like to thank all my co-authors for joining me on this exciting journey
that is research. Most results presented here would not have been possible without
them. A special mention goes to Dietrich Kuske, Madhavan Mukund, K. Narayan
Kumar, and Thomas Schwentick. Besides sharing their immense knowledge with
me, they made some memorable research stays possible. Normann Decker, Peter
Habermehl, Martin Leucker, and Daniel Thoma kindly let me take part in the
LeMon project, which has been another invaluable and fruitful experience.
I could not imagine a better vehicle to undertake my research journey than the
LSV, which is blessed with kind and talented people. I am particularly grateful to
the MExICo team under the guidance of Stefan Haar, to Stefan Göller and Stefan
Schwoon for enlightening and pleasurable conversations on computer science and
football science, and to the remarkably efficient and friendly administrative and
technical staff for their support.
I will never forget the warm welcome that I received when I joined the LSV ten
years ago. I am very much indebted to Myrto Arapinis, Nathalie Bertrand, Patricia Bouyer-Decitre, Stéphanie Delaune, Marie Duflot-Kremer, Catherine Forestier,
Steve Kremer, Nicolas Markey, Arnaud Sangnier, and Tali Sznajder, who have had
a lasting impression on me, and certainly on the LSV as a whole.
My heartfelt thanks go to my beloved sister, I am so happy she is around. I
am deeply grateful to my parents-in-law for their unfailing support and immense
generosity. A special thought goes to my friends Darius Dlugosz, Carsten Kern,
and Martin Leucker, who are far away and yet so close, and with whom all this
started.
I dedicate this thesis to my mother, who has always been there for me, and to the
memory of my father, who will always be right by my side, every step I take.
Le dernier mot est réservé pour toi, Virginie. Merci, infiniment, pour ton amour
inconditionnel et pour Lucas, le plus beau cadeau qu’on ait pu me faire.
Benedikt Bollig
Cachan, May 2015
iv
Contents
1 Introduction
1
1.1
Automata Models and Their Behavior . . . . . . . . . . . . . . . .
2
1.2
Specification Formalisms . . . . . . . . . . . . . . . . . . . . . . . .
5
1.3
Realizability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6
1.4
Model Checking . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7
1.5
Contributions and Outline . . . . . . . . . . . . . . . . . . . . . . .
8
1.6
Further Contributions . . . . . . . . . . . . . . . . . . . . . . . . .
14
1.7
Notation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
15
2 Static Recursive Shared-Memory Systems
17
2.1
(Multiply) Nested Words and Their Automata . . . . . . . . . . . .
17
2.2
Contexts, Phases, Scopes, and Ordered Stacks . . . . . . . . . . . .
21
2.3
Monadic Second-Order Logic . . . . . . . . . . . . . . . . . . . . .
23
2.4
The Language Theory of Nested-Word Automata . . . . . . . . . .
24
2.5
Nested Traces and Their Automata . . . . . . . . . . . . . . . . . .
26
2.6
Realizability of NWA Specifications . . . . . . . . . . . . . . . . . .
29
2.7
Realizability of MSO Specifications . . . . . . . . . . . . . . . . . .
33
2.8
Temporal Logic for Nested Words . . . . . . . . . . . . . . . . . . .
34
2.9
Perspectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
38
3 Parameterized Message-Passing Systems
3.1
Topologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
v
39
40
3.2
Message Sequence Charts . . . . . . . . . . . . . . . . . . . . . . .
42
3.3
Underapproximation Classes . . . . . . . . . . . . . . . . . . . . . .
43
3.4
Communicating Automata . . . . . . . . . . . . . . . . . . . . . . .
45
3.5
Fixed-Topology Communicating Automata . . . . . . . . . . . . . .
47
3.6
Parameterized Communicating Automata (PCAs) . . . . . . . . . .
49
3.7
Logical Characterizations of PCAs . . . . . . . . . . . . . . . . . .
50
3.8
Model Checking . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
55
3.9
Perspectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
57
4 Dynamic Sequential Systems
59
4.1
(Fresh-)Register Automata and Session Automata . . . . . . . . . .
61
4.2
Closure Properties of Session Automata . . . . . . . . . . . . . . .
64
4.3
Class Register Automata . . . . . . . . . . . . . . . . . . . . . . . .
66
4.4
Automata vs. Logic over Data Words . . . . . . . . . . . . . . . . .
71
4.5
Decision Problems . . . . . . . . . . . . . . . . . . . . . . . . . . .
75
4.6
Perspectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
77
5 Dynamic Message-Passing Systems
79
5.1
Dynamic Message Sequence Charts . . . . . . . . . . . . . . . . . .
80
5.2
Dynamic Communicating Automata . . . . . . . . . . . . . . . . .
82
5.3
Register MSC Graphs . . . . . . . . . . . . . . . . . . . . . . . . .
87
5.4
Executability of Register Message Sequence Graphs . . . . . . . . .
88
5.5
Guarded Register MSC Graphs . . . . . . . . . . . . . . . . . . . .
92
5.6
Perspectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
93
6 Static Timed Shared-Memory Systems
95
6.1
Timed Automata with Independently Evolving Clocks . . . . . . .
96
6.2
The Existential Semantics . . . . . . . . . . . . . . . . . . . . . . .
99
6.3
The Universal Semantics . . . . . . . . . . . . . . . . . . . . . . . . 102
6.4
The Reactive Semantics . . . . . . . . . . . . . . . . . . . . . . . . 104
6.5
Perspectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
7 Conclusion
109
Bibliography
113
Index
127
vi
CHAPTER
1
Introduction
Computer systems are ubiquitous. They have pervaded almost every aspect of
modern human life and are becoming more and more complex. A countless number of processes run in parallel and access data stored on servers that are physically
distributed all over the globe. Indeed, mobile computing, ad-hoc networks, multicores are only a few of many omnipresent keywords that stand for a shift towards
concurrent systems. To put it bluntly:
The world IS concurrent. It IS parallel.1
However, understanding concurrency is a challenging task. The interplay of several
processes becomes unpredictable, and even carefully written and seemingly correct
programs may eventually reveal serious bugs. Unfortunately, even subtle errors
may entail serious damage to hardware, transport systems, business processes,
electronic devices, etc.
This is where formal methods come into play. The term formal methods gathers
tools and methods for a mathematically founded analysis of computer systems.
They may be adopted at the early stages of system design, but also be applied to
check an existing system against a requirements specification. This thesis aims at
contributing to the mathematical foundations of concurrent systems, their formal
modeling, specification, verification, and synthesis.
In the following, we first describe different models of concurrent systems to take
into account applications in various domains. We will focus on automata, which
are a versatile tool to model different phenomena of concurrency, yet, at the same
time, offer a unifying view of all of them. We then describe high-level specification
1
Joe Armstrong [Arm07].
1
formalisms (such as logics, regular expressions, and also automata). Though those
are also equipped with a precise mathematical semantics, they allow for a more
abstract, declarative view of a system. Two natural questions arise in this context,
which are usually referred to as realizability and model checking:
Realizability: Given a requirements specification in terms of a formula (regular
expression, automaton, respectively), is there an automaton that recognizes
all, but only those, behaviors that satisfy the specification?
Model Checking: Given a system model in terms of an automaton, and a requirements specification in terms of a formula (regular expression, automaton,
respectively), do all executions of the automaton satisfy the specification?
Both questions are actually closely related: various model-checking procedures rely
on automata-theoretic techniques and the fact that a specification is “realizable”
as an automaton. This thesis tries to contribute to both of these aspects of formal verification: realizability and model checking. In the following, we examine
some characteristics of automata, specification formalisms, realizability, and model
checking in more detail.
1.1 Automata Models and Their Behavior
Automata are a popular model of computer systems, making them accessible to
formal methods and, in particular, synthesis and automated verification techniques
such as model checking. While classical finite-state automata are suitable to model
sequential boolean programs, models of concurrent systems, involving several interacting processes, extend finite-state machines in several respects. Roughly, we may
classify a system (or a system model) according to the following characteristics:
Form of Communication. When there is only one process, we deal with a
sequential system. When there are several processes, then interprocess communication may be accomplished, e.g., via shared variables or message passing. In this
document, we consider boolean programs so that shared-variable communication
usually gives rise to finite-state systems. Thus, classical methods are applicable
for their analysis. On the other hand, message passing via a priori unbounded
channels leads to undecidability of basic verification questions. However, putting
some restrictions on the system (e.g., imposing a channel bound or restricting the
system architecture) will allow us to infer positive results for both realizability and
model checking.
In Figure 1.1, we illustrate the way of modeling the behavior that is generated by
automata for the various types of communication. One single sequential process will
produce sequences of events, as depicted on the left-hand side. One such execution
can be seen as a word, i.e., the sequence of actions that we observe. More generally,
it may be seen as a graph whose nodes are arranged chronologically, following a
total order generated by the edge relation. Each node represents an event, and
2
with each event, we associate the action that it executes. For example, the actions
a, b, c used in the figure may stand for writing or reading a variable, outputting the
value of a variable, etc. The figure in the middle models an execution as it may
be produced by a shared-memory system where processes share access to resources
such as variables. This kind of graph is usually referred to as a Mazurkiewicz trace.
In the example, we deal with two processes, sharing two events that both execute
an action c. That is, c may stand for reading or writing a variable that is shared
by both processes. Finally, in a message-passing environment, processes do not
share resources in a synchronous manner, but use an asynchronous communication
medium such as channels. The causal ordering implied by the channel policy may
then be depicted as an additional edge between a send and the corresponding
receive event. This is what happens in the graph on the right, which is called
a message sequence chart (MSC). In this example, we deal with actions a (for
sending) and b (for receiving), while c may be some internal action.
a
a
b
a
a
b
a
b
b
b
a
b
b
c
a
b
c
b
a
b
a
c
c
a
c
b
a
sequential
a
shared memory
message passing
Figure 1.1: Forms of communication
As advocated in [AG14], modeling an execution of a concurrent system in terms
of an acyclic (i.e., partially ordered) graph actually offers many advantages over
the interleaving approach (which assumes an order on concurrent events). Since
graphs visualize communication links between events, corresponding specification
languages are usually more expressive and more intuitive.
System Architecture. The system architecture, connecting processes and arranging them in a certain way (e.g., as a pipeline or as a tree), may be static and
fixed (i.e., known), or static but unknown, or it may change dynamically during
a system execution. These three cases are schematically depicted in Figure 1.2.
In the particular case where the topology is static but unknown, we deal with a
parameterized setting. So, one will be interested in questions such as “Is the system correct no matter what the topology or number of processes is?” or “Can one
transform a specification into a system that is correct for all system architectures?”.
More and more applications (let us just mention mobile computing) have dynamic
architectures which allow processes to connect to/disconnect from processes at execution time. There has been a wide range of techniques for the verification of
parameterized and dynamic systems. There are also close connections with the
theory of words over infinite alphabets, where the infinitary part can be used to
3
model an unbounded supply of process identifiers.
...
...
...
!
!
"#
$
!
static and fixed
"#
$
?
static but unknown
(parameterized)
!
dynamic
Figure 1.2: System architectures
Finite-State, Recursive, and Timed Processes. Processes themselves can be
finite-state (i.e., be modeled as finite-state automata), recursive (i.e., be modeled
as a pushdown automaton), or timed (i.e., be modeled as a timed automaton).
Figure 1.3 illustrates three process behaviors, one for each case. The behavior of
a recursive process is depicted as a nested word, where some (well-nested) edges
connect the call and return position of a function call. A timed execution, on the
other hand, provides additional time stamps telling us when an event has taken
place.
a
a
a
c
1.2
b
b
a
a
a
a
3.4
c
c
b
4.1
b
b
c
5
a
a
finite-state process
recursive process
a b 5.5
timed process
2
Figure 1.3: Type of a single process
In this thesis, we survey automata models for some combinations of the above
characteristics. In particular, we cover automata for concurrent recursive sharedmemory systems, parameterized and dynamic message-passing systems, and concurrent timed systems. In turn, these automata generalize the well-studied notions
of Zielonka automata [Zie87] (towards recursion), communicating automata [BZ83]
(towards dynamic and parameterized architectures), and timed automata [AD94]
(towards concurrency).
4
1.2 Specification Formalisms
A specification describes the desired (or forbidden) behavior of a system. While
automata serve as models of programs and, therefore, provide a low-level view of
a system, requirements specifications are usually written in a high-level language,
abstracting from implementation details and being closer to human way of thinking.
Popular examples include regular expressions, monadic second-order (MSO) logic,
as well as temporal logics. The expressive equivalence of finite automata and
MSO logic, known as the Büchi-Elgot-Trakhtenbrot Theorem, constitutes one of
the most beautiful cornerstones in the landscape of theoretical computer science
[Büc60, Elg61, Tra62]. This can also be claimed for the coincidence of languages
expressible in first-order (FO) logic and those definable in linear-time temporal logic
(LTL), which is referred to as Kamp’s Theorem [Kam68]. Beautiful on their own,
those logical connections have led to practically usable verification tools [Hol03,
HJJ+ 95].
The Büchi-Elgot-Trakhtenbrot Theorem and Kamp’s Theorem have counterparts
in concurrent settings [Tho90, TW97, DG02, DG06]. However, some classical results concerning the connection of specification formalisms with automata are not
transferable. We will see that a generic MSO logic over graphs is, in general,
too expressive to capture automata for static message-passing or recursive systems (while the second-order quantifier-alternation hierarchy collapses over words).
Moreover, the transfer of temporal logics to richer structures and graphs than
words is far from obvious. Indeed, there have been several proposals of temporal logics over Mazurkiewicz traces (see [GK07] for an overview), and a number
of temporal logics have recently been considered for concurrent recursive processes
[Ati10, ABKS12, LTN12]. Any such logic comes with tailored algorithms for its application in verification. However, it is fair to state that no canonical logic has been
identified so far (unlike in the word case where LTL can certainly be considered
the yardstick logic for linear-time model checking). Previously defined temporal
logics for concurrent recursive systems do not even enjoy a theoretical justification
as it is provided for the word case in terms of Kamp’s Theorem.
For concurrent recursive programs, we will, therefore, consider all temporal logics, as defined in the book by Gabbay et al. [GHR94], in a unifying framework.
Note that this approach has already led to a versatile framework for temporal
logics over Mazurkiewicz traces [GK07, GK10]. We also provide automata-based
specification formalisms (some of which can be considered or defined as regular expressions). The difference with system models is that automata specifications have
a global state space offering, in a sense, a high-level view. As an example, automata
with multiple pushdown stacks but one state space will serve as specifications for
concurrent-system models where several pushdown automata, with separate state
spaces, communicate via shared variables. In a dynamic setting, we introduce automata specifications with registers that can take values from infinite domains (for
example, to model process identifiers). This will reveal new connections with the
theory of formal languages over infinite alphabets.
5
1.3 Realizability
The realizability problem arises when we are given a specification that we would like
to transform into an implementation in terms of an automata model. So, the first
question to ask is if there is such an implementation at all. In the previous section,
we already mentioned the Büchi-Elgot-Trakhtenbrot Theorem saying that, roughly
speaking, all regular specifications are realizable. In Figure 1.4, three equivalent
specifications are given (from top to bottom: LTL formula, regular expression,
MSO formula) as well as an implementation in terms of a finite automaton.
b, c
G(a → F b)
a, c
a
➯
((b + c)∗ (ε + a(a + c)∗ b))∗
∀x.(a(x) → ∃y.(x ≤ y ∧ b(y))
b
Figure 1.4: Realizability of sequential finite-state systems
While, in terms of regular languages, any specification has an implementation,
the situation is more difficult when we move to the concurrent setting. Let us
look at a well studied setting of concurrent shared-memory systems with finitestate processes. Suppose that we have two processes, 1 and 2, where 1 executes
action a, and 2 executes action b. Consider Figure 1.5. Is it justified to say
that the concurrent automaton on the right-hand side, with no communication
between processes 1 and 2, is an implementation of the regular expression ↵ =
ab(ab)⇤ ? There are (at least) two arguments against it. Expression ↵ implies that
any execution performs as many a’s as b’s. But this is not realizable under the
architecture that we consider (recall that 1 and 2 do not communicate). Moreover,
b’s have to be preceded by a’s, which is not realizable for the same reason. Note
that these problems are inherent to the specifications and will not vanish with a
more clever implementation. So, what is the “right” formalism for the specification
of those systems? Or, put differently, what are the valid specifications, when we
assume that ab(ab)⇤ is not realizable?
a
?
ab(ab)∗
➯
b
a
b
Figure 1.5: (Non-)realizability of concurrent finite-state systems
Consider Figure 1.6, and suppose that the system provides a third action, call it
c, that is executed simultaneously by both processes. The concurrent automaton
on the right-hand side might then be seen as an implementation of the regular expression on the left. First, the action c allows both processes to synchronize after
each a-step (b-step, respectively), so that, in particular, there are as many a’s as
b’s in any execution. Second, the order of executing a and b is not fixed anymore
by the specification. Indeed, a classical result of Mazurkiewicz trace theory due
6
to Zielonka states that regular specifications that are closed under permutation of
such independent actions can be effectively translated into a concurrent automaton [Zie87]. Note that the specification from Figure 1.5 is actually not closed in
that sense. Similar results were obtained in the static message-passing setting
[HMK+ 05, Kus03, GKM06]. In this thesis, we obtain a generalization of Zielonka’s
theorem for concurrent recursive programs, using Zielonka’s result as a black box.
a
((ab + ba)c)∗
➯
c
b
Figure 1.6: Realizability of concurrent finite-state systems
Recall that the realizability question amounts to asking whether a specification
can be translated into an automaton. Thus, we would like to distinguish algorithmically between the specifications from Figure 1.5 (not realizable) and Figure 1.6
(realizable). The question is decidable for finite-state systems [Mus94, PWW98],
but, unfortunately, it is undecidable in the recursive case, which follows from the
undecidability of the nonemptiness problem [Ram00]. We will, therefore, identify
sufficient decidable criteria that still guarantee realizability. The idea is to restrict
the specifications. For example, we may impose a bound on the number of context
switches, a notion introduced in [QR05], where each context allows only one process to call or return from a procedure. This amounts to underapproximating the
complete system behavior. Note that the final implementation can exhibit executions that do not fit into this restriction anymore. We will come back to that point
in the subsequent section about model checking.
Other possibilities are specification formalisms that do not distinguish between
linearizations but are interpreted directly on a graph. Though this does not necessarily guarantee realizability, it already rules out design errors that can a priori
be avoided. In this thesis, we consider MSO logic and temporal logic interpreted
over behavior graphs (rather than their linearizations). Over some general classes
of graphs (subsuming the behavior of message-passing systems and shared-memory
systems), we provide results in the spirit of the Büchi-Elgot-Trakhtenbrot Theorem,
showing an effective equivalence between automata and (the existential fragment
of) MSO logic.
1.4 Model Checking
While realizability asks for an implementation of a given specification, model checking is the process of verifying the specification against a given system model. It
has its root in the seminal works by Clarke & Emerson [CE81] and Queille &
Sifakis [QS82]. Model checking is by now very well understood as far as finite-state
sequential systems are concerned, and theoretical results have turned into tools
7
successfully employed in practice (e.g., [Hol03]). On the other hand, processes communicating via message passing through unbounded channels and shared-variable
recursive processes have an undecidable control-state reachability problem [BZ83,
Ram00]. However, similarly to the case of realizability, under- or overapproximating the behavior of a system will still allow us to check certain system properties.
In other words, while exploring the set of possible behaviors, one restricts to a
subset that is susceptible to containing the relevant critical executions.
For example, in a message-passing system, we may consider only those behaviors
that do not exceed a predefined channel bound, and in a concurrent recursive
setting, one may impose a bound on contexts (cf. previous section), each allowing
only one process to evolve. The context restriction is all the more important (and
practically justified) as many system errors can be detected within a few contextswitches, as it was argued in [QR05]. Subsequently, other restrictions, relaxing the
context-bound and being mutually incomparable, were defined and shown to have a
decidable model-checking problem. They impose bounds on the number of phases
[LMP07], scopes [LN11], or restrict to certain ordered excutions [BCCC96]. In
[MP11], it was observed that all of them induce behaviors of bounded tree-width,
giving a general explanation of decidability. Indeed, tree-automata techniques play
an important role in model checking concurrent recursive programs.
Note that underapproximation techniques can be useful for verifying both positive
(or, liveness) and negative (or, safety) specifications. A positive specification contains all the behaviors that a system should exhibit, while a negative specification
represents faulty executions. If, now, the underapproximation admits all positive
behaviors, then this is actually the case for the original system. Similarly, when the
underapproximation intersects the negative specification, then this also applies to
the system. Dually, an overapproximation can be used for the following reasoning.
If it does not subsume all the positive behaviors, then the system does not exhibit
all of them either. Moreover, if the overapproximation does not intersect with the
negative behaviors, we can safely assume that the actual system will never exhibit
any bad behavior. Overapproximation techniques are usually quite different from
underapproximation methods. They have been applied successfully to messagepassing systems (for example, assuming lossy channels) [AJ93], and concurrent
recursive programs [BET03].
In this work, the focus is on underapproximation techniques for model checking parameterized message-passing systems and context-bounded recursive systems. Our
results rely on very different approaches. In the first case, we exploit a realizability
result for translating formulas into a system model (which is then compared to
the actual system model via product construction). In the latter case, we exploit
Hanf’s theorem as well as aforementioned tree-automata techniques.
1.5 Contributions and Outline
The large majority of the results presented in this document have been obtained in
collaboration with several co-authors, whom I gratefully acknowledge. All results
8
have been published in peer-reviewed conference proceedings and journals. Theorems that go back to publications that have been co-authored by myself after my
PhD are highlighted in gray. Most proofs are omitted. However, we usually give
the proof ideas and references to papers containing full proofs.
Next, we give a summary of the contributions along with the outline of this thesis.
Recall that we deal with (a subset of)
8
98
98
9
⇢
static
sequential
<
= < finite-state = <
=
realizability
dynamic
recursive
shared-memory
of
model checking
:
;:
;:
;
parameterized
timed
message-passing
systems. An attribution to chapters can be found in Table 1.1. Chapters are selfcontained and can be read independently of each other, though we often point out
analogies with other chapters.
Table 1.1: Systems covered by this document
Chapter 2
realizability/verification
static & fixed
recursive
shared-memory
Chapter 3
realizability/verification
parameterized
finite-state
message-passing
Chapter 4
realizability/verification
dynamic
finite-state
sequential
Chapter 5
realizability/verification
dynamic
finite-state
message-passing
Chapter 6
verification
static & fixed
timed
shared-memory
Chapter 2. Chapter 2 studies static recursive shared-memory systems. Both
realizability and model checking are addressed. As specification formalisms, we
consider (E)MSO logic and MSO-definable temporal logics, as well as (multiply)
nested-word automata (NWAs), a kind of multi-stack automata with one single
state space. As a model of an implementation, we introduce nested-trace automata
(NTAs), which have distributed state spaces and generalize Zielonka automata to
a recursive setting. Our main contributions in this chapter read as follows:
• We show that Zielonka’s theorem carries over to concurrent recursive systems:
any global specification (given by an NWA) that is closed under permutation
of independent events can be translated into an equivalent NTA. As closure
under independence rewriting is undecidable, we provide a variant of that
theorem. It states that certain bounded representations, which can be considered as incomplete specifications, have a distributed counterpart in terms of
an NTA. Here, “bounded” may refer to the number of contexts or phases. We
show that the property of being a bounded representation is, in each case,
decidable.
• We give logical characterizations of NTAs where behaviors are bounded. This
extends work by Thomas [Tho90], who had established expressive equivalence
9
of MSO logic and (non-recursive) Zielonka automata. We complement our
result by showing that MSO logic is strictly more expressive than NTAs over
the domain of all nested words. Actually, this is obtained as a corollary from
a characterization of NTAs in terms of EMSO logic and strictness of the
monadic second-order quantifier-alternation hierarchy over multiply nested
words.
• We determine the precise complexity of the emptiness problem for ordered
NWAs. More precisely, the problem is shown to be 2-Exptime-complete.
• We show that model checking NTAs is decidable in elementary time for every MSO-definable temporal logic over nested words. Actually, the problem
is solvable in (n + 2)-Exptime where n is the maximal level of the MSO
modalities in the monadic second-order quantifier-alternation hierarchy. We
also establish an n-Expspace lower bound for some MSO-definable temporal
logic.
The chapter refers to the following references:
[ABH08] M. F. Atig, B. Bollig, and P. Habermehl. Emptiness of multi-pushdown
automata is 2ETIME-complete. In DLT’08, volume 5257 of LNCS,
pages 121–133. Springer, 2008.
[BCGZ14] B. Bollig, A. Cyriac, P. Gastin, and M. Zeitoun. Temporal logics for
concurrent recursive programs: Satisfiability and model checking. Journal of Applied Logic, 2014. To appear.
[BGH09] B. Bollig, M.-L. Grindei, and P. Habermehl. Realizability of concurrent
recursive programs. In FoSSaCS’09, volume 5504 of LNCS, pages 410–
424. Springer, 2009.
[BKM13] B. Bollig, D. Kuske, and R. Mennicke. The complexity of model checking multi-stack systems. In LICS’13, pages 163–170. IEEE Computer
Society Press, 2013.
[Bol08] B. Bollig. On the expressive power of 2-stack visibly pushdown automata. Logical Methods in Computer Science, 4(4:16), 2008.
Chapter 3. In this chapter, we provide a simple yet natural model of parameterized message-passing systems, which we call parameterized communicating automata (PCAs). PCAs are a conservative extension of the classical communicating
automata [BZ83]. They also have a static communication topology and accept message sequence charts (MSCs), which look like the graph depicted on the right in
Figure 1.1. However, the precise communication topology is henceforth unknown so
that it becomes a parameter of the system. Most work in the literature has focused
on the verification of such systems, i.e., on the question “Does the given system
satisfy some property independently of the topology or the number of processes?”.
10
Here, we will initiate a study of the language theory of parameterized systems
and, in particular, the realizability question. Combined with emptiness-checking
algorithms, this eventually allows us to show decidability of model checking parameterized systems against MSO logic over MSCs, which is more expressive than
the (temporal) logics that have been previously considered.
Our main contributions from this chapter can be summarized as follows:
• We provide several results in the spirit of the Büchi-Elgot-Trakhtenbrot Theorem, which roughly read as follows: Given a set of communication topologies
T (e.g., the class of pipelines, ranked trees, grids, or rings) and a high-level
specification ' from some logic, there is a PCA that accepts precisely the
models of ' when it is run on a topology from T.
• Inspired by the restrictions introduced for recursive systems, we study contextbounded verification of PCAs to overcome the inherent undecidability coming with that model. Using the previous logical characterization and an
emptiness-checking algorithm, we obtain decidability of model checking of
context-bounded PCAs.
The chapter refers to the following articles:
[BGK14] B. Bollig, P. Gastin, and A. Kumar. Parameterized communicating automata: Complementation and model checking. In FSTTCS’14, volume 29 of Leibniz International Proceedings in Informatics, pages 625–
637. Leibniz-Zentrum für Informatik, 2014.
[BGS14] B. Bollig, P. Gastin, and J. Schubert. Parameterized verification of communicating automata under context bounds. In RP’14, volume 8762 of
LNCS, pages 45–57. Springer, 2014.
[BK12] B. Bollig and D. Kuske. An optimal construction of Hanf sentences.
Journal of Applied Logic, 10(2):179–186, 2012.
[Bol14] B. Bollig. Logic for communicating automata with parameterized topology. In CSL-LICS’14. ACM Press, 2014.
Chapter 4. This chapter considers sequential systems rather than concurrent
ones. However, it lays some foundations that will be exploited later in a dynamic concurrent setting. In particular, it prepares some mechanism to deal with
an unbounded number of processes and an infinite supply of process identifiers.
Accordingly, finite automata are extended to run over infinite alphabets, whose
elements are often referred to as data values. To do so, an automaton is equipped
with registers as storing capabilities for data values. Many such models have been
defined in the literature, each having its advantages and drawbacks. Here, we introduce two further models. One generalizes previously introduced models, one is
a restriction, which we call session automata. More precisely, this chapter deals
with the following issues:
11
• We consider the model-checking problem for session automata. Unlike previous approaches, which can only handle weak fragments of data MSO logic
(featuring an equality predicate for data values), we allow the full MSO logic
as a specification language. On the other hand, we restrict the automata
model to gain decidability of model checking. Moreover, we show that session automata, unlike many other classes of register automata, form a robust
language class: they are closed under boolean operations (complementation
wrt. the class of certain bounded words) and have a decidable inclusion problem.
• Moreover, we introduce class register automata, a “realistic” model of register
automata. Though it has an undecidable emptiness problem, it allows one to
reflect reading capabilities of automata (such as receive a message or return
from a procedure) that will later be transferred to a concurrent setting. We
show that the expressiveness of class register automata is between EMSO
logic and MSO logic, solving the realizability problem for EMSO logic, and
demonstrating that, somehow, class register automata recognize only “regular” languages over infinite alphabets.
The chapter covers the references indicated below. Note that, in the present
manuscript, we present a restricted framework compared to the original publications. The latter deal with stacks, which we omit here for simplicity, and multidimensional data words, while we restrict to one data value per event.
[BCGNK12] B. Bollig, A. Cyriac, P. Gastin, and K. Narayan Kumar. Model checking languages of data words. In FoSSaCS’12, volume 7213 of LNCS,
pages 391–405. Springer, 2012.
[BHLM14] B. Bollig, P. Habermehl, M. Leucker, and B. Monmege. A robust class
of data languages and an application to learning. Logical Methods in
Computer Science, 2014.
[Bol11] B. Bollig. An automaton over data words that captures EMSO logic.
In CONCUR’11, volume 6901 of LNCS, pages 171–186. Springer,
2011.
Chapter 5. In this chapter, we study dynamic message-passing systems. Like
Chapter 3, this extends classical communicating automata, but in an orthogonal
way. Moreover, we consider different questions since the results from Chapter 3 do
not carry over to the dynamic setting. We focus on realizability, but we also touch
the model-checking problem. Our contributions are as follows:
• We introduce a dynamic version of communicating automata. Like the static
variant, dynamic communicating automata (DCAs) feature concurrent processes that communicate via message exchange. However, new processes may
be generated at runtime and the number of processes that participate in an
12
execution is a priori unbounded. Processes are identified by unique process
identifiers (pids), which they can store in registers and pass to other processes
via messages. In a natural way, DCAs recognize dynamic MSCs, which are
MSCs extended by dynamic process creation.
• We study the realizability questions for high-level MSCs with registers, which
are inspired by the model of session automata presented in Chapter 4. Now,
dynamic process creation raises new problems and questions. In order for a
language to be realizable, one has to guarantee that processes that communicate with one another know each other. In particular, there must be a way
of communicating pids in such a way that a sender holds the pid of a receiver
in one of its registers at the time of communication. To our knowledge, this
question has not been considered before. Unfortunately, realizability (actually, we consider a variant called implementability) of high-level MSCs in
terms of DCAs is undecidable. Therefore, we study a decidable sufficient
criterion, which we call executability. We then define a subclass of high-level
MSCs for which executability and implementability are equivalent. The proof
of that result yields an effective construction of a DCA out of a high-level
MSC, provided that the latter is executable.
The chapter covers the following references:
[BCH+ 13] B. Bollig, A. Cyriac, L. Hélouët, A. Kara, and T. Schwentick. Dynamic
communicating automata and branching high-level MSCs. In LATA’13,
volume 7810 of LNCS, pages 177–189. Springer, 2013.
[BH10] B. Bollig and L. Hélouët. Realizability of dynamic MSC languages. In
CSR’10, volume 6072 of LNCS, pages 48–59. Springer, 2010.
Chapter 6. This chapter studies timed systems with a static communication
topology. The model we introduce is kind of unusual, since it does not assume
that clocks of the different processes evolve at the same speed. Indeed, it is often
more appropriate to relax the assumption of perfectly synchronous clocks. So, we
extend the classical notion of a timed automaton with an equivalence relation on
the set of clocks. Roughly speaking, we assume that there is no way to predict
the relative clock speed of clocks that are not equivalent (or, do not belong to the
same process). Though relative clock speeds are not predictable, or, not robust,
we are looking for a way to verify such timed automata with independently evolving
clocks. The idea is to consider an under- and an overapproximation of the actual
system behavior, which includes behaviors that are executable under every and,
respectively, some evolution of local times. Note that we had already considered
underapproximations in Chapters 2 and 3. However, the reason there to look
at behavioral restrictions was undecidability of the general problem, rather than
unpredictability. The chapter refers to the following article:
13
[ABG+ 14] S. Akshay, B. Bollig, P. Gastin, M. Mukund, and K. Narayan Kumar.
Distributed timed automata with independently evolving clocks. Fundamenta Informaticae, 130(4):377–407, 2014.
Conclusion 7. In the last chapter, we conclude and give general directions and
challenges for future work.
1.6 Further Contributions
Some of the author’s contributions are perfectly in the scope of this document, but
have not been considered in order to keep the presentation simple and homogenous.
These contributions read as follows:
• We establish a logical characterization of Muller communicating automata,
producing infinite executions. The result makes use of an extension of Hanf’s
Theorem to the infinitary quantifier [BK08].
• We also extend the logical characterization to a timed message-passing setting. Here, every process is an event-clock automaton (a subclass of timed
automata). In addition, timing constraints can be imposed on the delay between sending and receiving a message. While timed automata accept timed
words, event-clock message-passing automata accept timed MSCs, where each
event comes with an additional time stamp. As a specification language, MSO
logic is naturally extended by timing constraints [ABG13].
• We consider PDL logic for both realizability and model checking of messagepassing systems. Concerning realizability, we show that every formula can
be translated into a communicating automaton. Moreover, model checking
communicating automata and high-level MSCs against PDL specifications
are shown to be Pspace-complete [BKM10].
• As an alternative approach to realizability, we sketch a learning framework for
communicating automata. Based on Angluin’s L⇤ -algorithm, this approach
allows one to infer message-passing systems simply by classifying MSCs as
positive and negative [BK08].
The references refer to the following papers:
[ABG13] S. Akshay, B. Bollig, and P. Gastin. Event-clock message passing automata: A logical characterization and an emptiness checking algorithm. Formal Methods in System Design, 42(3):262–300, 2013.
[BK08] B. Bollig and D. Kuske. Muller message-passing automata and logics.
Information and Computation, 206(9-10):1084–1094, 2008.
14
[BKKL10] B. Bollig, J.-P. Katoen, C. Kern, and M. Leucker. Learning communicating automata from MSCs. IEEE Transactions on Software Engineering, 36(3):390–408, 2010.
[BKM10] B. Bollig, D. Kuske, and I. Meinecke. Propositional dynamic logic
for message-passing systems. Logical Methods in Computer Science,
6(3:16), 2010.
1.7 Notation
The set of natural numbers is denoted by N = {0, 1, 2, 3, . . .} and the set of positive
def
natural numbers by N>0 = {1, 2, 3, . . .}. For n 2 N, we let [n] = {1, . . . , n}. An
alphabet is any nonempty set. In this thesis, we will deal with both finite and
infinite alphabets. Given an alphabet ⌃, we denote by ⌃⇤ the set of finite words
def
(or, strings) over ⌃. The empty word is denoted ". Moreover, ⌃+ = ⌃⇤ \ {"}.
For two sets A and B, we let [A * B] be the set of partial mappings from A to B.
Let f : A ! B be a total or partial function, a 2 A, and b 2 B. By f[a 7! b], we
denote the function that maps a to b and coincides with f on all other arguments.
We sometimes write fa to denote f(a). We let dom(f) stand for the domain of f,
i.e., the set of elements a 2 A such that f(a) is defined. We may identify f with
the set {(a, f(a)) | a 2 dom(f)}.
15
16
CHAPTER
2
Static Recursive Shared-Memory Systems
In this chapter, we consider recursive systems with a static and fixed (i.e., known)
communication topology. A system is recursive if a process may suspend its activity
and invoke (or, call) a subtask, before proceeding (or, returning). A stack is used
to store the current configuration of the process, and to recover it, once the subtask
has been completed. The programs we consider are boolean, i.e., possible variables
range over a finite domain. In particular, the set of states and the alphabet of
stack symbols are finite. Boolean programs, in turn, may arise as abstractions
from programs with infinite-domain variables.
As discussed in the introduction, recursive systems may be defined in several equivalent ways. The classical definition is in terms of a pushdown automaton with
explicit stacks. A run is then a sequence of configurations, which keep track of the
current stack contents. Alternatively, automata may run on words enriched with
nesting relations, one for each process. A nesting relation connects a call position
with the corresponding return position. In that case, a transition of the automaton
that performs a return will depend on the state reached after executing the corresponding call position. It is then sufficient to define a run as a simple sequence
of states (without explicitly mentioning the stack contents). This is the approach
adopted in this thesis.
2.1 (Multiply) Nested Words and Their Automata
Nested words [AM09a] extend a word (or, total order) by one or more nesting
relations. They reflect executions of concurrent recursive programs, with the understanding that the nesting relation connects a function call with its corresponding
return position. We assume that the event labeling tells us whether we deal with
17
a call or a return so that the nesting relation is actually uniquely given.
˜ = (⌃, P, type, ) where ⌃ is
A distributed (visibly pushdown) alphabet is a tuple ⌃
a finite alphabet, P is a nonempty finite set of processes, the mapping type : ⌃ !
{call, ret, int} indicates the type of an action (call, return, internal), and : ⌃ ! 2P .
The intuition is that (a) is the set of processes that are involved in the execution of
a 2 ⌃. We require that (a) 6= ; for all a 2 ⌃, and | (a)| = 1 for all a 2 ⌃call [ ⌃ret .
The latter condition implies that synchronization is achieved via internal actions
only. Note that, however, the concrete distribution of internal actions only matters
in Section 2.5, when we define nested Mazurkiewicz traces.
Definition 2.1 (nested word). A (multiply) nested word over the distributed
˜ is a triple (E, C, ) where
alphabet ⌃
• E is a nonempty finite set of events,
•
: E ! ⌃ is the event-labeling function, and
• C = C+1 [Ccr ✓ E ⇥E is an acyclic edge relation (denoting direct successors
or matching a call with a return)
such that the properties 1.–4. below are satisfied. Hereby, for ⌧ 2 {call, ret, int}, we
def
def
let E⌧ = {e 2 E | ⌧ = type( (e))}. Moreover, given p 2 P , set Ep = {e 2 E | p 2
( (e)).
def
1. 6 = C⇤ is a total order on E (with strict part <), and C+1 is the direct
successor relation of 6,
2. Ccr induces a bijection between Ecall and Eret ,
3. for all (e, f ) 2 Ccr , there is p 2 P such that e 2 Ep and f 2 Ep , and
4. for all (e1 , f1 ), (e2 , f2 ) 2 Ccr and p 2 P such that e1 2 Ep , e2 2 Ep , and
e1 < e2 < f1 , we have f2 < f1 .
}
Condition 3. ensures that a call-return edge is restricted to one process, and condition 4. guarantees that calls and returns of one process follow a stack policy (in
other words, Ccr \ (Ep ⇥ Ep ) is well-nested for every p 2 P ). Note that the sets
C+1 and Ccr are not necessarily disjoint.
˜ is denoted by NW(⌃).
˜ When ⌃
˜ is clear from the
The set of nested words over ⌃
context, we may just write NW. We do not distinguish isomorphic nested words.
The term visibly stresses the fact that an action uniquely determines the type
and stack involved in its execution. Visibility actually reveals the nesting structure if only the sequence of labels from ⌃ is given. Let us formalize this and
let W = (E, C, ) be a nested word. Assume, without loss of generality, that
E = {e1 , . . . , en } with e1 C+1 e2 C+1 . . . C+1 en . The string of W is defined
def
as string(W ) = (e1 ) . . . (en ) 2 ⌃+ . Now, given any word w 2 ⌃+ , there is at
˜ such that string(W ) = w.
most one (up to isomorphism) nested word W over ⌃
18
If it exists, then we denote it by nested (w) and we call w well-nested, since it is
guaranteed that calls and returns are well bracketed, for any process/stack. Note
that, for any nested word W , we have nested (string(W )) = W .
˜ = (⌃, P, type, ) given by ⌃ =
Example 2.2. Consider the distributed alphabet ⌃
{a1 , b1 , a2 , b2 , c}, P = {1, 2}, type(a1 ) = type(a2 ) = call, type(b1 ) = type(b2 ) = ret,
and type(c) = int, as well as (a1 ) = (b1 ) = {1}, (a2 ) = (b2 ) = {2}, and (c) =
˜ Straight edges represent
{1, 2}. Figure 2.1 shows the nested word W2.1 over ⌃.
the relation C+1 , whereas curved edges represent Ccr . We have string(W2.1 ) =
a1 ca2 a1 ca2 cb1 cb1 b2 b2 .
}
cr
a1
c
+1 a
2
a1
c
a2
c
b1
c
b1
b2
b2
Figure 2.1: The multiply nested word W2.1
Now, we consider automata that run on multiply nested words and are suitable as
a model of recursive programs. As explained before, these automata run directly
over nested words so that the stacks are only implicit.
˜ is a tuple A =
Definition 2.3 (NWA). A nested-word automaton (NWA) over ⌃
(S, , , ◆, F ) where
• S is the nonempty finite set of states,
•
is the nonempty finite set of stack symbols,
• ◆ 2 S is the initial state,
• F ✓ S is the set of final states, and
•
call
]
–
call
–
✓ S ⇥ ⌃call ⇥
ret
–
int
ret
]
is the transition relation, partitioned into
=
int
✓ S ⇥ ⌃ret ⇥
⇥ S,
⇥ S, and
✓ S ⇥ ⌃int ⇥ S.
}
Reading an event e of a nested word, transition (s, a, s0 ) 2 int lets the automaton
move on from the current state s to the target state s0 if e is labeled with letter a.
The same applies to a transition (s, a, A, s0 ) 2 call [ ret . However, in addition,
this transition allows A to associate with a call event stack symbol A. The symbol
can then be retrieved at the corresponding return position. In a sense, this is
equivalent to reading a stack symbol previously pushed. More precisely, we require
19
that, whenever eCcr f , the stack symbol chosen at e is the same as the stack symbol
employed by the transition that is taken at position f .
Let W = (E, C, ) be a nested word. Let us, again, assume that E = {e1 , . . . , en }
with e1 C+1 e2 C+1 . . . C+1 en . A run of A on W is a pair (⇢, ) of mappings
⇢ : E ! S and : Ecall [ Eret ! such that,
• for all (e, f ) 2 Ccr , we have (e) = (f ), and
• for every i 2 {1, . . . , n} (letting ⇢(e0 ) = ◆),
(
⇢(ei 1 ), (ei ), ⇢(ei ) 2 int
⇢(ei 1 ), (ei ), (ei ), ⇢(ei ) 2 call [
ret
if ei 2 Eint
if ei 2 Ecall [ Eret .
The run (⇢, ) is accepting if ⇢(en ) 2 F . The set of multiply nested words for
which there is an accepting run is denoted by L(A).
We say that A is deterministic if
• for all (s, a) 2 S ⇥ ⌃call , there is at most one pair (A, s0 ) 2
(s, a, A, s0 ) 2 call ,
⇥ S such that
• for all (s, a, A) 2 S ⇥ ⌃ret ⇥ , there is at most one s0 2 S such that
(s, a, A, s0 ) 2 ret , and
• for all (s, a) 2 S ⇥ ⌃int , there is at most one s0 2 S such that (s, a, s0 ) 2
int .
Example 2.4. An NWA A2.2 = ({s0 , . . . , s5 }, {$}, , s0 , {s5 }) over the distributed
˜ from Example 2.2 is given in Figure 2.2. Transitions are self-explanatory.
alphabet ⌃
For example, int contains (s3 , c, s4 ), and ret contains (s4 , b2 , $, s5 ), which is indicated by the edge from s4 to s5 with label b2 |$ . Note that A2.2 accepts those
nested words that (i) contain a subsequence a1 a2 or a2 a1 , (ii) have a call and a
subsequent return phase, separated by some action c, and (iii) schedule returns of
˜ from Figure 2.1 is
process 1 before those of process 2. The nested word over ⌃
accepted by A2.2 . Note that A2.2 is not deterministic.
}
a1 |$
a2 |$
c
a1 |$
s1
a1 |$
a2 |$
c
a2 |$
s0
c
s3
a2 |$
s2
b1 |$
c
s4
b2 |$
c
b2 |$
s5
a1 |$
Figure 2.2: Nested-word automaton A2.2
Unfortunately, in the presence of at least two processes/stacks, most basic verification problems for NWAs are undecidable, such as nonemptiness:
Theorem 2.5 ([Ram00]). The following problem is undecidable:
˜ ; NWA A over ⌃
˜
Instance: ⌃
Question: L(A) 6= ; ?
20
2.2 Contexts, Phases, Scopes, and Ordered Stacks
In the seminal paper [QR05], Qadeer and Rehof exploited the fact that errors of
recursive programs typically occur already within a few contexts where a context
refers to an execution involving only one process. Imposing a bound on the number
of contexts indeed renders many verification problems decidable. In other words,
instead of looking at all possible executions, we consider an underapproximation
of the actual system behavior. This view is particularly suitable when checking
positive specifications: if a system A should exhibit all behaviors given by a set
Good , then it is sufficient to show that Good ✓ L(U ) is true for a restricted version
U of A such that L(U ) ✓ L(A). Thus, we are interested in restrictions U of A such
that the problem Good ✓ L(U ) is decidable and that we may adjust incrementally
so as to converge to L(A). On the other hand, given a negative specification (or,
safety property) Bad , we can also draw conclusions from L(U ) \ Bad 6= ;, while
showing complete absence of bad behaviors would require an overapproximation of
the system behavior.
Next, we recall the notion of a context as well as other restrictions that have been
˜ be a nested word. An
defined in the literature. Let W = (E, C, ) 2 NW(⌃)
def
interval of W is a set I ✓ E such that I = ; or I = [e, f ] = {g 2 E | e  g  f }
for some e, f 2 E. In a context, only one designated process is allowed to call or
return, while a phase only restricts return operations:
• A context of W is an interval I such that I \ (Ecall [ Eret ) ✓ Ep for some
p 2 P.
• A phase of W is an interval I such that I \ Eret ✓ Ep for some p 2 P .
Note that every context is a phase, while the converse does not hold in general.
Definition 2.6 (k-context word [QR05] and k-phase word [LMP07]).
Let W = (E, C, ) be a nested word and k 1. We say that W is a k-context word
(k-phase word) if there are contexts (phases, respectively) I1 , . . . , Ik of W such that
E = I1 [ . . . [ Ik .
}
While every k-context word is a k-phase word, but not the other way around, two
orthogonal restrictions have been defined in terms of bounded scopes and ordered
nested words, which we consider next. A scope-bounded word restricts the number
of contexts between a push and the corresponding pop operation.
Definition 2.7 (k-scope word [LN11]). Let W = (E, C, ) be a nested word
and k 1. We call W a k-scope word if, for all (e, f ) 2 Ccr , there exist contexts
I1 , . . . , Ik of W such that we have [e, f ] = I1 [ . . . [ Ik .
}
Finally, in an ordered word, we refer to a total ordering
on P (with irreflexive
part ). Then, a pop operation can only be performed by the process that is
minimal among all processes with a nonempty stack.
21
˜ We
Definition 2.8 (ordered word [BCCC96]). Let W = (E, C, ) 2 NW(⌃).
0
0
call W an ordered word (wrt. ) if, for all p, p 2 P , e, f 2 Ep , and f 2 Eret \ Ep0
such that e Ccr f and e < f 0 < f , we have p0 p.
}
Example 2.9 (continues Example 2.2). Figure 2.3 illustrates the concepts introduced above by means of the nested word W2.1 from Figure 2.1. The shadowed
areas are dedicated to process 2. Thus, W2.1 is a 6-context word, a 5-scope word,
and a 2-phase word. All these bounds are optimal. Moreover, W2.1 is an ordered
word under the assumption 1 2 (but not for 2 1).
}
a1
contexts
c
1
a2
a1
2
a2
c
3
phases
c
4
b1
c
b1
b2
5
b2
6
1
2
Figure 2.3: Illustration of context, phase, and scope
def
Let R = {k-cnt , k-ph , k-scp | k 1} [ {ord} be the set of possible “restrictions”.
˜ In particular, by NWord (⌃),
˜
For ✓ 2 R, the set of ✓-words is denoted by NW✓ (⌃).
we denote the set of ordered words, silently assuming an order on P . Moreover,
def
˜ When convenient, we omit the
for an NWA A, we let L✓ (A) = L(A) \ NW✓ (⌃).
˜
reference to ⌃ and write, for example, NWk-ph .
Example 2.10. Consider the NWA A = A2.2 from Figure 2.2. We have that
L(A) = L2-ph (A) = Lord (A). On the other hand, Lk-cnt (A) and Lk-scp (A) are
strictly included in L(A), for all k 1.
}
Let us define the respective nonemptiness problems:
Problem 2.11. Ord-Nonemptiness:
Instance:
Question:
Instance:
Question:
˜ ; NWA A (over ⌃)
˜
⌃
Lord (A) 6= ; ?
Problem 2.13. Phase-Nonemptiness:
Instance:
Question:
Problem 2.12. Context-Nonemptiness:
˜ ; NWA A ; k
⌃
Lk-ph (A) 6= ; ?
˜ ; NWA A ; k
⌃
Lk-cnt (A) 6= ; ?
1
Problem 2.14. Scope-Nonemptiness:
Instance:
Question:
1
˜ ; NWA A ; k
⌃
Lk-scp (A) 6= ; ?
1
Indeed, all these problems are decidable with varying complexities. We assume
that the parameter k is given in unary. For a comparison between the effects of a
unary and a binary encoding, see [BD13].
Theorem 2.15 ([QR05, LTKR08]). Context-Nonemptiness is NP-complete.
22
Theorem 2.16 ([LMP07, LMP08b]). Phase-Nonemptiness is 2-Exptimecomplete.
Theorem 2.17 ([LN11]). Scope-Nonemptiness is Pspace-complete.
Theorem 2.18 ([ABH08]). Ord-Nonemptiness is 2-Exptime-complete.
In [MP11], a uniform argument for decidability of the above problems was given
by Madhusudan and Parlato: for ✓ 2 {k-cnt , k-ph | k
1} [ {ord}, the class
of ✓-words has bounded tree width. By Courcelle’s theorem, this implies that
nonemptiness of NWAs and even model-checking of NWAs against MSO properties
is decidable. It was then shown that scope-bounded words have bounded tree
width, too [LP12].
An alternative unifying approach is given by Cyriac, Gastin, and Narayan Kumar
[CGNK12] in terms of the notion of split-width. Since split-width is tailored to
nested words, it is simpler than tree width and allows for a more intuitive understanding of a class of bounded multi-threaded programs. Note that split-width also
led to generalizations of the above-mentioned classes and other existing work on
recursive message-passing systems [AGNK14b, Cyr14].
2.3 Monadic Second-Order Logic
We give a short account of monadic second-order (MSO) logic over nested words.
The logic is built over countably infinite supplies {x, y, x1 , x2 , . . .} of first-order and
{X, Y, X1 , X2 , . . .} of second-order variables. First-order variables are interpreted
as events, second-order variables as sets of events. As usual, the predicates available
in MSO logic depend on the signature of a structure, which is given in terms of the
˜ = (⌃, P, type, ).
distributed alphabet ⌃
˜ are built according to the followDefinition 2.19. The formulas from nwMSO(⌃)
ing grammar:
' ::= a(x) | x C+1 y | x Ccr y | x = y | x 2 X |
¬' | '1 _ '2 | 9x.' | 9X.'
where a 2 ⌃, x, y are first-order variables, and X is a second-order variable.
}
Throughout this document, we use the usual abbreviations such as '1 ^ '2 for
¬(¬'1 _ ¬'2 ), ' ! for ¬' _ and 8x.' for ¬9x.¬'.
˜ is interpreted over a nested word W = (E, C, ) 2
A formula ' 2 nwMSO(⌃)
˜ wrt. a mapping I. The purpose of the latter is to interpret free variables.
NW(⌃)
It maps any first-order variable x to an event I(x) 2 E and any second-order
23
variable X to a set of events I(X) ✓ E. We write W |=I ' if formula ' is
evaluated to true when the free variables of ' are interpreted according to I. In
particular, we have W |=I a(x) if (I(x)) = a, and W |=I x Ccr y if I(x) Ccr I(y).
The remaining operators are as expected. When ' is a sentence, i.e., a formula
without free variables, we may omit the indez I and simply write W |= '. For
an introduction to MSO logic on (classical) words and its semantics, we refer the
reader to [Tho97].
˜ contains the existential MSO (EMSO) formulas, which
The fragment nwEMSO(⌃)
are of the form 9X1 . . . 9Xn .' where ' does not make use of second-order quantification.
2.4 The Language Theory of Nested-Word Automata
Let us examine closure properties of NWAs as well as their expressive power compared to MSO logic. One may call a language (or automata) class robust when
it is effectively closed under all Boolean operations and has a decidable emptiness
problem. A robust language class is amenable to verification tasks such as model
checking, since the inclusion problem is decidable.
It is easy to see that NWAs are closed under union and intersection. This has to be
seen in contrast to the fact that the class of context-free languages (CFLs) is not
closed under intersection. The intuitive reason for this is that, in CFLs, actions are
no longer visible. Indeed, augmenting words by the nesting structure makes sure
that, while simulating two NWAs, the automaton for intersection performs push
and pop operations at the same positions of the input word.
However, NWAs do not form a robust automata class, as their emptiness problem
is undecidable (Theorem 2.5). This even applies when we restrict to two stacks.
However, in the presence of at most two stacks, we can establish a logical characterization:
˜ The following
Theorem 2.20 ([Bol08]). Suppose |P | = 2 and let L ✓ NW(⌃).
statements are effectively equivalent:
˜ such that L(A) = L.
1. There is an NWA A over ⌃
˜ such that L(') = L.
2. There is a sentence ' 2 nwEMSO(⌃)
In [Bol08], it is also shown that the monadic quantifier-alternation hierarchy over
nested words is infinite, by an encoding of grids into nested words. We obtain, as
a corollary, that NWAs are not complementable:
24
˜ such
Theorem 2.21 ([Bol08]). Suppose |P | = 2. There is an NWA A over ⌃
0
0
˜ we have L(A ) 6= NW(⌃)
˜ \ L(A).
that, for all NWAs A over ⌃,
We have seen that restricting the domain of nested words appropriately, renders the
emptiness problem for NWAs decidable. It has been shown that above restrictions
actually give rise to robust language classes. The next theorem states that, under
any of the restrictions introduced above, NWAs are complementable:
Theorem 2.22 (complementability [LMP07, LNP14a, LNP14b]). Let ✓ 2
˜ the following hold:
R. Then, for all NWAs A over ⌃,
˜ such that L(A0 ) = NW✓ (⌃)
˜ \ L(A).
1. There exists an NWA A0 over ⌃
˜ such that L(A0 ) = NW(⌃)
˜ \ L✓ (A).
2. There exists an NWA A0 over ⌃
For every ✓ 2 R, the proof more or less follows the following schema: A nested
˜ is encoded by means of an injective mapping as a ranked tree
word W 2 NW✓ (⌃)
tree(W ). One constructs a tree automaton B recognizing tree(NW✓ (A)) and a tree
automaton BA recognizing tree(L✓ (A)). Since tree automata are complementable,
there is a tree automaton BA0 for the complement of L(BA ). From BA0 ⇥ B, one then
˜ \ L(A).
extracts an NWA A0 such that L(A0 ) = tree 1 (L(BA0 ⇥ B)) = NW✓ (⌃)
Note that, in Theorem 2.22, statement 1. is implied by 2. and vice versa by the
following lemma:
˜
Lemma 2.23. For all ✓ 2 R, there are deterministic NWAs A✓ and A0✓ over ⌃
0
˜
˜
˜
such that L(A✓ ) = NW✓ (⌃) and L(A✓ ) = NW(⌃) \ NW✓ (⌃).
Proof (sketch). The lemma is easily seen for contexts and phases. In the case of
ordered words, one has to keep track of the stacks that currently have a stack
symbol pushed. For k-scope words, one verifies that all call-return edges span
over at most k contexts (some call-return edge spans over more that k contexts,
respectively).
While phase-bounded and ordered NWAs are in general not determinizable [LMP07],
the other restrictions allow for the following theorem:
Theorem 2.24 ([LMP10a, LNP14a]). Let ✓ 2 {k-cnt , k-scp | k
1}. Then,
0
˜
˜
for all NWAs A over ⌃, there exists a deterministic NWA A over ⌃ such that
L(A0 ) = L✓ (A).
Moreover, all of the above restrictions give rise to a characterization in terms of
˜ The proof essentially uses Theorem 2.22, which reduces
MSO logic nwMSO(⌃).
negation in MSO logic to complementation in NWAs.
25
Table 2.1: Closure, decidability, and expressiveness properties for NWA
[
\
Compl.
Det.
Emptiness
RegL
yes
yes
yes
yes
Nlog
CFL
yes
no
no
no
P
1-NWA (|P | = 1)
yes
yes
yes
yes
P
2-NWA (|P | = 2)
yes
yes
no
undecidable
k-context NWA
yes
yes
k-phase NWA
yes
yes
k-scope NWA
yes
yes
ordered NWA
yes
yes
no
[Bol08]
yes
[LMP10a]
yes
[LMP07]
yes
[LNP14a]
yes
[LNP14b]
[LMP07]
yes
9MatchFO
[LST95]
MSO
[AM09b]
EMSO $ MSO
[Bol08]
NP-c
[QR05, LTKR08]
no
2-Exptime-c
[LMP07]
[LMP07, LMP08b]
yes
Pspace-c
no
2-Exptime-c
[LMP10a]
MSO
[Büc60, Elg61, Tra62]
[LMP10a]
[LNP14a]
Logic
[LTN12]
[ABH08]
MSO
[LMP10a]
MSO
[LMP07]
MSO
[LNP14a]
MSO
[LNP14b]
Theorem 2.25 ([LMP07, LNP14a, LNP14b]). Let ✓ 2 R. Then, for all L ✓
˜ the following statements are equivalent:
NW✓ (⌃),
˜ such that L(A) = L.
• There is an NWA A over ⌃
˜ such that L(') = L.
• There is a sentence ' 2 nwMSO(⌃)
From Theorems 2.15–2.18 and Theorem 2.25, one can infer that model checking
bounded NWAs against MSO properties is decidable: Given ✓ 2 R, an NWA A
˜ and a sentence ' 2 nwMSO(⌃),
˜ do we have L✓ (A) ✓ L(') ?
over ⌃,
Table 2.1 summarizes decidability, closure, and expressiveness properties for NWA.
In view of these results, it is justified to call NWA a robust automata class when
considered over the classes of ordered words and k-context/phase/scope words.
This makes them appealing in several verification settings as well as for languagetheoretic considerations. Their robustness is underpinned by the results from the
next section, which lift classical theorems from Mazurkiewicz trace theory to the
recursive setting.
2.5 Nested Traces and Their Automata
Multiply nested words account for the interweaving of calls and returns performed
by several processes. However, they do not reflect the inherent concurrency of
events that are involved in distinct processes. A natural model of executions of
concurrent recursive programs are nested traces, which combine nested words and
˜ = (⌃, P, type, ) (cf.
Mazurkiewicz traces. Thus, we fix a distributed alphabet ⌃
26
Section 2.5). The definition of a nested trace is very similar to that of a nested
word (cf. Definition 2.1 on page 18), but instead of just one direct-successor relation
C+1 , there is one such relation Cp for every process p 2 P .
Definition 2.26 (nested trace [BGH09]). A nested trace over the distributed
˜ is a triple (E, C, ) where
alphabet ⌃
• E is a nonempty finite set of events,
: E ! ⌃ is the event-labeling function, and
S
• C = Ccr [ p2P Cp ✓ E ⇥ E is an acyclic edge relation
•
such that properties 1.–4. below are satisfied. Here, the sets Ep , Ecall , and Eret are
given as in Definition 2.1.
def
1. For all p 2 P , 6p = C⇤p is a total order on Ep (with strict part <p ), and Cp
is the direct successor relation of 6p ,
2. Ccr induces a bijection between Ecall and Eret ,
3. for all (e, f ) 2 Ccr , there is p 2 P such that e 2 Ep and f 2 Ep , and
4. for all (e1 , f1 ), (e2 , f2 ) 2 Ccr and p 2 P such that e1 2 Ep , e2 2 Ep , and
e1 <p e2 <p f1 , we have f2 <p f1 .
}
˜ is denoted by NTr(⌃).
˜ Again, we do not distinguish
The set of nested traces over ⌃
isomorphic nested traces.
˜ from Example 2.2 on page 19,
Example 2.27. Consider the distributed alphabet ⌃
˜
with P = {1, 2}. A nested trace over ⌃ is depicted in Figure 2.4.
}
cr
cr
a1
1
1
a1
1
c
1
1
c
2
a2
2
b1
1
c
2
a2
1
b1
2
b2
c
2
2
2
b2
cr
cr
Figure 2.4: The nested trace T2.4
Next, we define a distributed automata model running over nested traces, originally
introduced in [BGH09]. Here, distributed means that every process has its own local
state space and transition relation. More precisely, there is a transition relation for
every action a 2 ⌃. A transition involving a can access the local state of any process
from (a), and modify it. Since a 2 ⌃call [ ⌃ret implies | (a)| = 1, executing call
and return actions updates the local state of only one single component.
27
˜ is
Definition 2.28 (NTA [BGH09]). A nested-trace automaton (NTA) over ⌃
a tuple C = ((Sp )p2P , , , ◆, F ). Here, the Sp are disjoint finite sets of local states
(Sp containing the local states of process p), and is the nonempty finite
Q set of
0
stack symbols. Given a set P ✓ P , let SP 0 denote the cartesian product p2P 0 Sp .
The tuple ◆ 2 SP is a global initial state, and F ✓ SP is the set of global final
states. Finally, = call ] ret ] int is the transition relation, partitioned into
•
call
✓
•
ret
✓
•
int
✓
S
S
S
p2P (Sp
⇥ ⌃call ⇥
p2P (Sp
⇥ ⌃ret ⇥
a2⌃int (S (a)
⇥ Sp ),
⇥ Sp ), and
⇥ {a} ⇥ S
}
(a) ).
S
Let S = P 0 ✓P SP 0 . For s 2 S and p 2 P , we let sp be the p-th component
of s (if it exists). A run of the NTA C on a nested trace T = (E, C, ) will
include a mapping ⇢ : E ! S such that ⇢(e) 2 S ( (e)) for all e 2 E. Intuitively,
for process p 2 ( (e)), the component ⇢(e)p is the state that p reaches after
executing e. Before we specify when ⇢ is actually a run, let us define another
mapping ⇢ : E ! S that also satisfies ⇢ (e) 2 S ( (e)) for all e 2 E. Intuitively,
⇢ (e) collects the current source states of those processes that are involved in
executing e. We let ⇢ (e) = (sp )p 2 ( (e)) where
sp =
(
◆p
⇢(f )p
if e is Cp -minimal
if f Cp e .
Recall that, hereby, ⇢(f )p denotes the p-th component of ⇢(f ) 2 S ( (f )) . This
component indeed exists since p 2 ( (f )). Now, we call the pair (⇢, ), with
: Ecall [ Eret ! , a run of C on T if,
• for all (e, f ) 2 Ccr , we have (e) = (f ), and
• for all e 2 E, it holds
8
>
< ⇢ (e)p , (e), (e), ⇢(e)p 2
⇢ (e)p , (e), (e), ⇢(e)p 2
>
:
⇢ (e), (e), ⇢(e) 2 int
call
ret
if e 2 Ecall \ Ep
if e 2 Eret \ Ep
if e 2 Eint .
To determine if run (⇢, ) is accepting, we look at the global final state reached
at the end of a run. It collects, for all p 2 P , the local state associated with the
Cp -maximal event, or ◆p if Ep = ;. Formally, let t = (tp )p2P 2 SP be given by
tp =
(
⇢(e)p
◆p
if e is Cp -maximal
if Ep = ; .
We call (⇢, ) accepting if t 2 F . Finally, we denote by L(C) the set of nested
˜ that come with an accepting run of C.
traces over ⌃
28
a1 |$
s0
a1 |$
c
t0
a2 |$
a1 |$
b1 |$
s1
s2
c
a2 |$
c
c
t1
t2
a2 |$
b1 |$
Figure 2.5: The NTA C2.5
˜ from Example 2.2,
Example 2.29. Again, we assume the distributed alphabet ⌃
˜ depicted
with P = {1, 2}. Consider the NTA C2.5 = ((Sp )p2P , {$}, , ◆, F ) over ⌃
in Figure 2.5. Its components are given by S1 = {s0 , s1 , s2 }, S2 = {t0 , t1 , t2 },
◆ = (s0 , t0 ), F = {(s2 , t2 )}. The new feature (compared to NWAs) are the synchronizing transitions from int , which contains ((si , si ), c, (si , si )) for all i 2 {0, 1, 2}
as well as ((s1 , t1 ), c, (s2 , t2 )). Note that C2.5 is eventually forced to execute “concurrent” occurrences of a1 and a2 : When one process moves on to s1 or t1 , then
executing c is no longer possible unless the other process catches up. The nested
trace T2.4 on page 27 is accepted by C2.5 . Note that, there are indeed concurrent
occurrences of a1 and a2 .
}
A special case of NTAs is given when ⌃ = ⌃int . Then, an NTA is precisely an
asynchronous automaton (also Zielonka automaton) [Zie87], and a nested trace is
actually a Mazurkiewicz trace. However, according to our terminology, we rather
call it a trace automaton. Since all actions from ⌃ have the same type, the language
of a trace automaton may be seen as a set of Mazurkiewicz traces [DR95].
2.6 Realizability of NWA Specifications
Note that NTAs are a truly concurrent model as processes may move independently
unless they perform synchronizing actions from ⌃int . On the other hand, NWAs
possess one single state space, and the global control may enforce an order even
on a priori independent actions. Yet, there are tight connections between NTAs
and NWAs. To reveal that relation, we will first study more closely the relation
between nested words and nested traces.
˜ its
First, we can naturally associate with a nested trace T = (E, C, ) over ⌃
linearizations, each of which fixes an ordering of uncomparable (wrt. ) events.
Intuitively, a linearization is one possible scheduling policy of a nested trace. For˜
mally, a linearization of T is any nested word of the form W = (E, C0 , ) 2 NW(⌃)
0
0
such that  ✓  . Note that this implies Ccall = Ccall . For example, the nested
word from Figure 2.1 on page 19 is a linearization of the nested trace from Figure 2.4 on page 27. By lin(T ), we denote the set of linearizations of T . Given
29
w
= string(W )
∈ Σ∗
nested
string
W
= nested (w)
∈ lin(T )
∈ NW(Σ̃)
trace
lin
T
= trace(W )
∈ NTr(Σ̃)
Figure 2.6: Relation between strings, nested words, and nested traces
˜ there is a unique nested trace T 2 NTr(⌃)
˜ such that W 2 lin(T ).
W 2 NW(⌃),
˜ and
We denote this trace by trace(W ). This is extended to languages L ✓ NW(⌃),
we set trace(L) = {trace(W ) | W 2 L}. The relation between the mappings string
and nested (from Section 2.1) as well as lin and trace is illustrated in Figure 2.6.
Since nested (string(W )) = W for any nested word W , we may consider the set of
linearizations of T as a string language over ⌃. This will facilitate some definitions
when we consider languages up to a congruence relation taking into account that
some actions are independent (those that do not share processes), while others are
not (those that have at least one process in common).
˜ we define an independence relation I ˜ def
Given the distributed alphabet ⌃,
⌃ = {(a, b) 2
⌃⇥⌃ | (a)\ (b) = ;}. Note that I⌃˜ is irreflexive and symmetric. Its complement,
def
the dependence relation D⌃˜ = (⌃ ⇥ ⌃) \ I⌃˜ , is, therefore, reflexive and symmetric.
With this, let ⇠⌃˜ ✓ ⌃⇤ ⇥⌃⇤ be the least congruence relation that satisfies ab ⇠⌃˜ ba
˜ is the distributed alphabet from Example 2.2
for all (a, b) 2 I⌃˜ . For example, if ⌃
on page 19, then {a1 a2 cb1 b2 , a2 a1 cb1 b2 , a1 a2 cb2 b1 , a2 a1 cb2 b1 } is an equivalence
class of ⇠⌃˜ . The equivalence relation ⇠⌃˜ is lifted in the natural way to nested
˜ is
words: we let W ⇠⌃˜ W 0 if string(W ) ⇠⌃˜ string(W 0 ). We say that L ✓ NW(⌃)
def
0
0
˜ | W ⇠ ˜ W for some W 2 L}.
⇠⌃˜ -closed if we have L = [L]⌃˜ = {W 2 NW(⌃)
⌃
We will consider an NWA A to be a specification of a system, and we are looking
for a realization or implementation of A, which is provided by an NTA C such
that L(C) = trace(L(A)). Actually, specifications often have a “global” view of the
system, and the difficult task is to distribute the state space onto the processes,
which henceforth communicate in a restricted manner that conforms to the pre˜ Note that, unlike lin(L(C)), the language L(A) is
defined system architecture ⌃.
not necessarily ⇠⌃˜ -closed. However, A may yet be considered as an incomplete
specification so that we can still ask for an NTA C such that L(C) = trace(L(A)).
Note that it is easy to come up with an NWA recognizing the linearizations of the
nested traces for a given NTA. Here, the state space of the NWA is the cartesian
product of the local state spaces.
˜ There is an NWA A over ⌃
˜ such that
Lemma 2.30. Let C be an NTA over ⌃.
L(A) = lin(L(C)).
We are, however, interested in the other direction of transforming a given NWA
into an NTA. As a preparation, we now recall two well-known theorems from
Mazurkiewicz trace theory. The first one, Zielonka’s celebrated theorem, applies
to distributed alphabets such that ⌃ = ⌃int . It will later be lifted to general
distributed alphabets.
30
˜ such that
Theorem 2.31 ([Zie87]). Suppose ⌃ = ⌃int . Let A be an NWA over ⌃
˜
L(A) is ⇠⌃˜ -closed. Then, there is an NTA C over ⌃ such that L(C) = trace(L(A)).
Note that the theorem actually yields a deterministic trace automaton (we omit
the definition). The doubly exponential complexity (in the number of processes) of
Zielonka’s construction has been reduced to singly exponential [GM06, GGMW10].
Moreover, under the assumption ⌃ = ⌃int , closure under ⇠⌃˜ is a decidable criterion:
Theorem 2.32 ([Mus94, PWW98]). The following is Pspace-complete:
˜ such that ⌃ = ⌃int ; NWA A over ⌃
˜
Instance: ⌃
Question: Is L(A) ⇠⌃˜ -closed ?
Note that, in these theorems, the NWA and the NTA do not employ any stack so
that we actually deal with a finite and a trace automaton, respectively. However,
one can lift Zielonka’s theorem to arbitrary distributed alphabets:
˜ such that the language
Theorem 2.33 ([BGH09]). Let A be an NWA over ⌃
˜
L(A) is ⇠⌃˜ -closed. There is an NTA C over ⌃ such that L(C) = trace(L(A)).
Proof (sketch). We interpret the given NWA A = (S, , , ◆, F ) as an NWA B
˜ = (⌦, P, 0 , type 0 ). Here, ⌦ = ⌃ ⇥ and,
over a new distributed alphabet ⌦
0
for all (a, A) 2 ⌃ ⇥ , type ((a, A)) = int and 0 ((a, A)) = (a). A transition
(s, a, A, s0 ) 2 call [ ret in A is considered as a transition (s, (a, A), s0 ) in the
new NWA B, and a transition (s, a, s0 ) 2 int is translated to (s, (a, A), s0 ) with A
˜
arbitrary. One can now apply Theorem 2.31 to obtain, from B, an NTA C over ⌦.
0
˜ In particular,
Finally, we reinterpret C as an NTA C over the original alphabet ⌃.
0
0
a call or return transition (s, (a, A), s ) becomes (s, a, A, s ).
Remark 2.34. The size of C is at most doubly exponential in |A| and triply
exponential in |⌃|, when we use the construction from [GM06].
Actually, Theorem 2.33 is a corollary of a more general statement, which uses the
notion of a lexicographic normal form and is also used to prove a different result
on NWA realizability (Theorem 2.38 below).
Theorem 2.33 demonstrates that NWAs, though they have a global view of the system in terms of one single state space, are suitable specifications for NTAs provided
they recognize a ⇠⌃˜ -closed language. Unfortunately, it is in general undecidable if
the language of a given NWA is ⇠⌃˜ -closed. This can be easily shown by a reduction
from the undecidable emptiness problem (cf. Theorem 2.5 on page 20).
Theorem 2.35. The following problem is undecidable:
˜ ; NWA A over ⌃
˜
Instance: ⌃
Question:
Is L(A) ⇠⌃˜ -closed ?
31
Therefore, we will consider restrictions to ✓-words, for suitable ✓ 2 R. This will
allow us to define decidable sufficient criteria for the transformation of an NWA into
an NTA. We will state a Zielonka-like theorem that is tailored to this restriction. In
the theorem, we require that an NWA represents the ✓-words of a system, while the
final implementation can produce executions that do not fit into the ✓-restriction.
A ✓-representation is a set of nested words that does not distinguish between locally
˜ are said to be locally
equivalent ✓-words. Here, two nested words W, W 0 2 NW(⌃)
loc
0
⇤
equivalent, written W ⇠⌃˜ W , if there are u, v 2 ⌃ and (a, b) 2 I⌃˜ such that
string(W ) = uabv and string(W 0 ) = ubav.
˜
Definition 2.36. Let ✓ 2 R and L ✓ NW(⌃).
We call L a ✓-representation if
0
0
˜
˜
L ✓ NW✓ (⌃) and, for all W, W 2 NW✓ (⌃) such that W ⇠loc
˜ W , we have W 2 L
⌃
0
iff W 2 L.
}
Example 2.37. For the NWA A2.2 from page 20, we have that L(A2.2 ) is both
a 2-phase representation and an ordered representation. It is, however, neither a
k-context nor a k-scope representation, for any k 1.
}
Next, we present our Zielonka theorem suited to ✓-representations. Hereby, we
def
require that ✓ be a member of the set R = {k-cnt , k-ph | k
1}. We do not
know if the following result holds for bounded-scope or ordered representations.
˜ such
Theorem 2.38 ([BGH09]). Let ✓ 2 R and let A be an NWA over ⌃
˜
that L(A) is a ✓-representation. Then, there is an NTA C over ⌃ such that
L(C) = trace(L(A)).
The proof of Theorem 2.38 relies on the definition of a lexicographic normal form
that allows one to apply Ochmańskis Theorem [Och95]. The crux is that reordering
independent events in order to obtain the lexicographic normal form shall not affect
membership in the given ✓-representation. This, however, requires an extension of
the underlying distributed alphabet. Note that the theorem was stated in [BGH09]
only for the phase-restriction, but proving it for contexts is along the same lines.
Indeed, being a ✓-representation is a decidable criterion (for all ✓ 2 R, including
“bounded scope” and “ordered”). It is also decidable whether the ✓-restriction of a
given NWA is ⇠⌃˜ -closed (which implies that it is a ✓-representation).
Theorem 2.39. The following problems are decidable (for every ✓ 2 R) in elementary time:
˜ ; NWA A over ⌃
˜
Instance:
⌃
Question 1:
Question 2:
Is L✓ (A) ⇠⌃˜ -closed ?
Is L✓ (A) a ✓-representation ?
32
Proof (sketch). We will give the rough idea of the proof, which is inspired by
[Mus94, PWW98] where similar problems are addressd in a stack-free setting. Consider first Question 1. Using Theorem 2.22, we transform the given NWA A into
˜ \ L✓ (A). Afan NWA A0 for the complement, i.e., such that L(A0 ) = NW(⌃)
˜ where
terwards, we build an NWA B recognizing all nested words W 2 NW(⌃)
string(W ) is of the form uabv such that (a, b) 2 I⌃˜ and ubav 2 string(W 0 ) for
some W 0 2 L(A0 ). Then, L✓ (A) is not ⇠⌃˜ -closed iff L✓ (B) 6= ;. The latter is
decidable due to Theorems 2.15–2.18. To solve Question 2, we build A0 such that
˜ \ L(A) (again, using Theorem 2.22).
L(A0 ) = NW✓ (⌃)
2.7 Realizability of MSO Specifications
On a higher level than NWAs, concurrent recursive programs can be specified in
logic, be it MSO logic or temporal logic (for the latter, see the subsequent section).
˜ is defined just as nwMSO but,
Similarly to the word case, the logic ntMSO(⌃)
instead of C+1 , it features a collection of predicates Cp , one for every process
˜ we denote by L(') the set of nested
p 2 P . Given a sentence ' 2 ntMSO(⌃),
˜ such that T |= '.
traces T over ⌃
Again, we will recall a well known result for concurrent programs without stacks,
and then lift it to the recursive setting.
˜ The following
Theorem 2.40 ([Tho90]). Suppose ⌃ = ⌃int and let L ✓ NTr(⌃).
statements are effectively equivalent:
1. There is an NTA C such that L(C) = L.
˜ such that L(') = L.
2. There is a sentence ' 2 ntMSO(⌃)
Note that this theorem cannot be lifted to nested structures without imposing
any restriction. This is due to the fact that NWAs (and, therefore, NTAs) are
not complementable (Theorem 2.21), while MSO logic is closed under negation.
However, it will turn out that restricting to k-context/k-phase traces also helps in
this case.
Of course, given a restriction ✓ 2 R, we first have to clarify what we mean by a
✓-trace. There are at least two reasonable possibilities. For example, we may call
a nested trace T a ✓-trace if all linearizations of T are ✓-words. Alternatively, we
may require that some linearization of T is a ✓-word. We will choose the latter,
existential, definition, as it captures more nested traces. Note that there are similar
options and definitions in the setting of MSCs (cf. Chapter 3).
˜ a ✓-trace if lin(T ) \ NW✓ (⌃)
˜ 6= ;. We adopt other
Thus, we call T 2 NTr(⌃)
˜
notations for nested words and let NTr✓ (⌃) be the set of ✓-traces. Moreover, for
def
˜ For a sentence ' 2 ntMSO(⌃),
˜ the
an NTA C, we let L✓ (C) = L(C) \ NTr✓ (⌃).
set L✓ (') is defined accordingly.
33
Example 2.41. The nested trace T2.4 is a 2-phase trace (it admits the 2-phase
linearization W2.1 ), a 4-context trace, a 3-scope trace, and an ordered trace (since
its linearization W2.1 is ordered).
}
As a preparation of a logical characterization of NTAs, we show that they are
complementable for some restrictions of nested traces. This is an analogue of
Theorem 2.22 for NWAs. As we rely on Theorem 2.38, we have to restrict to the
set R = {k-cnt , k-ph | k 1}, i.e., to bounded contexts or bounded phases.
˜ Then, there is an NTA
Lemma 2.42. Let ✓ 2 R and let C be an NTA over ⌃.
˜ \ L(C).
C 0 such that L(C 0 ) = NTr✓ (⌃)
Proof. From the given NTA C be an NTA, using Lemma 2.30 and Theorem 2.22, we
˜ such that L(A) = NW✓ (⌃)\lin(L(C)).
˜
get an NWA A over ⌃
Observe that L(A) is
˜ such that L(C 0 ) =
a ✓-representation. By Theorem 2.38, there is an NTA C 0 over ⌃
0
˜ \ L(C).
trace(L(A)). One easily verifies that we actually have L(C ) = NTr✓ (⌃)
˜
In particular, Lemma 2.42 implies that there is an NTA recognizing the set NTr✓ (⌃).
The following theorem constitutes a generalization of Theorem 2.40 adapted to ✓traces, where ✓ 2 R .
Theorem 2.43 ([BGH09]). The following implications are effective:
˜ there is a sentence ' 2 ntMSO(⌃)
˜ such that
1. For every NTA C over ⌃,
L(') = L(C).
˜ there is an NTA C over ⌃
˜
2. Let ✓ 2 R . For every sentence ' 2 ntMSO(⌃),
such that L(C) = L✓ (').
Proof (sketch). The proof of 1. follows the standard construction for the translation
of automata into logic. One guesses an assignment of states and stack symbols to
events in terms of existentially quantified second-order variables. Then, a firstorder kernel checks if the assignments actually correspond to an accepting run.
For the proof of 2., we proceed by structural induction. Hereby, the only critical
case is negation, which will be taken care of by Lemma 2.42. For simplicity, we
suppose that there are no free variables. To get an automaton for ¬', suppose
that we already have an NTA C such that L(C) = L✓ ('). By Lemma 2.42, there
˜ \ L(C). We have L(C 0 ) = L✓ (¬') so that
is an NTA C 0 such that L(C 0 ) = NTr✓ (⌃)
we are done.
2.8 Temporal Logic for Nested Words
In this section, we consider the model-checking problem for phase-bounded NWAs.
Note that we can already infer, from the previous results, that it is decidable
34
whether all (phase-bounded) nested words accepted by a given NWA satisfy a
given MSO formula. However, since the complexity is inherently nonelementary, it
is worth looking at temporal logics for nested words.
There has been a whole bunch of papers considering the model-checking problem for
temporal logics over (multiply) nested words [Ati10, BCGZ14, CGNK12, LTN12,
ABKS12, BS14]. These works differ in the choice of the behavioral restriction
described before (context-, phase-, scope-bounded, ordered), but also in the concrete temporal logic adopted for the model-checking task. While [Ati10, ABKS12]
consider properties over strings such as classical LTL rather than nested words,
[LTN12] introduces a temporal logic that allows one to identify related call and
return positions of a given process and to distinguish between linear successors
(referring to the word structure) and abstract successors (involving the nesting
edges). However, as a matter of fact, there is so far no agreement on a canonical
temporal logic for nested words, not even for those with one single nesting relation
[AAB+ 08, AEM04].
We, therefore, consider the class of all temporal logics as defined in the book by
Gabbay, Hodkinson, and Reynolds [GHR94], which subsumes virtually all existing
formalisms. The unifying feature of these temporal logics is that their modalities
are defined in MSO logic. In [BCGZ14], we showed that satisfiability and model
checking for any MSO-definable temporal logic are decidable in Exptime when
restricting to phase-bounded executions. We improved this in [BKM13] showing
that the problems are still elementary if k is part of the input. This is an important
issue, as an elementary procedure allows for a gradual adjustment of k at the cost
of only an elementary blow-up. In the following, we will review the main results of
[BKM13].
˜ = (⌃, P, type, ). For a natural number m 2 N,
We fix a distributed alphabet ⌃
˜
we call ' 2 nwMSO(⌃) an m-ary modality if its free variables consist of one firstorder variable x and m set variables X1 , . . . , Xm . The idea is that variable Xi is
interpreted as the set of positions where the i-th argument of the modality holds.
˜ is given by a triple L = (M, arity, [[ ]])
Definition 2.44. A temporal logic (over ⌃)
including
• a finite set M of modality names,
• a mapping arity : M ! N, and
˜ such that, for M 2 M with arity(M ) = m,
• a mapping [[ ]] : M ! nwMSO(⌃)
[[M ]] is an m-ary modality.
}
The syntax of L, i.e., the set of formulas ' 2 Form(L), is given by
' ::= a | ¬' | ' _ ' | M (', . . . , ')
| {z }
arity(M )
where a ranges over ⌃ and M ranges over M.
35
˜
The semantics of a formula ' 2 Form(L) wrt. a nested word W = (E, C, ) over ⌃
is defined inductively as a set [[']]W ✓ E, containing the events of W that satisfy
'. Formally, [[ ]]W is given as follows:
def
• [[a]]W = {e 2 E | (e) = a}
def
• [[¬']]W = E \ [[']]W
def
• [['1 _ '2 ]]W = [['1 ]]W [ [['2 ]]W
def
• [[M ('1 , . . . , 'm )]]W = {e 2 E | W |=Ie [[M ]]}
where Ie is such that x is mapped to e, and Xi to [['i ]]W for all i 2 {1, . . . , m}
Example 2.45. As mentioned above, a wide range of temporal logics have been
defined for nested words and concurrent systems. Their until operator usually depends on what is considered a path between two word positions and, more specifically, on a notion of successor. In the classical setting of words without nesting
relations, one naturally considers the direct successor following the linear order.
The situation is less clear in the presence of one or more nesting relations. In
[AAB+ 08], Alur et al. identify three different kinds of successors in singly nested
words, namely the linear, call, and abstract successor. Each of them comes with a
separate until operator.
Towards nested words with multiple nesting relations, Atig et al. consider only the
linear successor [Ati10, ABKS12], while La Torre and Napoli also define modalities
that correspond to linear, call, and abstract successors [LTN12]. As an example,
we demonstrate how to deal with the abstract until in our framework. An abstract
p-path in a nested word is a path that does not choose a linear direct successor from
a call position or to a return position (wrt. Ccr \ (Ep ⇥ Ep )). The temporal-logic
formula ' Uap for the abstract until says that, starting from x, there is an abstract
p-path (represented by a second-order variable Y ) to some event x0 . Hereby, we
require that ' is satisfied along the path (Y ✓ X1 ) until x0 satisfies (x0 2 X2 ).
Formally, the binary modality Uap is defined by
[[Uap ]](x, X1 , X2 ) =
⇣
9Y.9x0 . Y ✓ X1 ^ x0 2 X2 ^
8z.(z 2 Y _ z = x0 ) ! z = x _ 9y.(y 2 Y ^ 'p (y, z))
Hereby,
⌘
.
def
'p (y, z) = (p(y) ^ y Ccr z) _ (y C+1 z ^ ¬callp (y) ^ ¬retp (z))
W
def W
def
where p(x) = a2⌃ a(x) and, for ⌧ 2 {call, ret}, ⌧p (x) = p(x) ^ a2⌃ a(x).
p2 (a)
type(a)=t
Indeed, all the modalities considered in [AAB+ 08, Ati10, ABKS12, LTN12] are
MSO-definable. However, they appear to be just a few of many other possibilities.
For example, one may define an abstract path including two or more nesting relations, or include past-time counterparts of until modalities, which are not present
36
in [LTN12]. Such extensions can be realized in our framework by giving their definition in MSO. An elementary upper bound of the satisfiability and model-checking
problem follows immediately from the result stated below, without changing anything in the decidability proof.
}
˜ For a temporal-logic formula ' 2 Form(L), we
Let L be a temporal logic over ⌃.
let L(') be the set of nested words W such that e 2 [[']]W where e is the (unique)
minimal event of W . Now, the corresponding model-checking problem is defined
as follows:
˜ L):
Problem 2.46. NWA-Model-Checking(⌃,
Instance:
Question:
For n
˜ ; ' 2 Form(L) ; k
NWA A over ⌃
Do we have Lk-ph (A) ✓ L(') ?
1 (encoded in unary)
˜ be the set of nwMSO(⌃)-formulas
˜
0, let M⌃n (⌃)
of the form
9X 1 .8X 2 . . . 9/8X n .'
where ' is a first-order formula, i.e., it does not contain any second-order quantifier, and the X i are blocks of second-order variables. A temporal logic L =
˜
(M, arity, [[ ]]) is called M⌃n (⌃)-definable
if, for all M 2 M, we have [[M ]] 2
˜
M⌃n (⌃).
˜
Theorem 2.47 ([BKM13]). Let n
0 and let L be some M⌃n (⌃)-definable
˜
temporal logic. Then, NWA-Model-Checking(⌃, L) is in (n + 2)-Exptime.
˜ such that, for
Theorem 2.48 ([BKM13]). There is a distributed alphabet ⌃
˜
all n 1, there is an M⌃n (⌃)-definable temporal logic L for which the problem
˜ L) is n-Expspace-hard.
NWA-Model-Checking(⌃,
Two key ideas are pursued in the proof of the upper bound. First, we translate, in
polynomial time, a temporal logic formula into an MSO formula in a certain normal
form. The construction is based on Hanf’s locality theorem and independent of
the number of phases. Second, we show that an MSO formula in normal form
can be transformed into a tree automaton in (n + 1)-fold exponential space. The
tree automaton works on tree encodings of multiply nested words and can then be
checked for emptiness. One of its key ingredients is a tree automaton recovering
the direct successor relation of the encoded multiply nested words. We show that
such an automaton can be computed in polynomial space, avoiding the generic
doubly exponential construction given in [LMP07].
37
2.9 Perspectives
Most results presented in this chapter rely on the specific restriction of the domain
of nested words to bounded contexts/phases, scopes, or to ordered words. It will
be worthwhile to study a more generic setting by bounding the split-width. The
model-checking question has been well-studied here as well [CGNK12, AGNK14b,
Men14], but not much is known about realizability.
Note that some realizable specifications will inevitably yield implementations in
terms of NWAs that are non-deterministic and suffer from deadlocks. One should,
therefore, study classes of NWAs that are arguably more “realistic” meaning, in
particular, that they are deterministic and deadlock-free [SEM03, ADGS13]. A
natural question is then to ask for a specification formalism that guarantees such
realistic implementations.
It also remains to study realizability in the realm of recursive processes communicating through FIFO channels [LMP08a, HLMS12]. The model-checking question is by now well understood, in particular thanks to the split-width technique
[AGNK14b, Cyr14]. To the best of our knowledge, realizability questions for such
communicating recursive processes have not been considered. The quest for controllers, whose study has been initiated in [AGNK14a], seems to be closely related.
38
CHAPTER
3
Parameterized Message-Passing Systems
While, in Chapter 2, the communication topology was static and fixed once for all
˜ we now consider systems that can be run
in terms of a distributed alphabet ⌃,
on any topology from a (possibly infinite) class of topologies. Thus, the topology
becomes a parameter of the system. We will study parameterized systems in the
realm of message passing.
There has been a large body of literature on parameterized concurrent systems
(e.g., [EN03, EK04, LMP10b, ABQ11, DSZ11, AHH13, EGM13, Esp14, AJKR14]),
with a focus on verification: Does the given system satisfy a specification independently of the topology or the number of processes? A variety of different models
have been introduced, covering a wide range of communication paradigms such as
broadcasting, rendez-vous, token-passing, etc. However, it is justified to say that,
so far, there is no such thing as a canonical or “robust” model of parameterized
concurrent systems. In particular, expressiveness issues have not been considered.
One reason for that may be that the semantics of parameterized systems is often
described in terms of strings that represent interleavings of independent events.
Since such interleavings blur the natural direct-successor relation of a single process, it is hard to find logical or algebraic formalisms over strings that match the
expressive power of automata.
Similarly to nested traces from the previous chapter, the semantics that we present
here does not rely on interleavings but keeps a maximum of information on an
execution, such as a direct-successor relation for each process. This will finally
allow us to come up with classes of parameterized message-passing systems that
can be considered robust, since they satisfy at least one of the following properties:
(a) They have a decidable emptiness problem.
39
(b) They are closed under boolean operations.
(c) They enjoy a natural logical characterization.
In particular, we provide several Büchi-Elgot-Trakhtenbrot Theorems, which roughly
read as follows:
Given a formula ' and a class T of topologies, there is a
system A such that, whenever A is run on a topology from
T, it accepts exactly the behaviors that are a model of '.
Depending on the logic and the class of topologies, such a result will require further
restrictions on the behavior of a system, similar in spirit to the restrictions that
we considered in Chapter 2 in the realm of multiply nested words.
3.1 Topologies
As we are in a parameterized setting, we assume that there are a finite but unbounded number of processes. We consider that processes are equipped with interfaces, through which they can talk to other processes. When interfaces of different
processes are plugged together, we obtain a topology.
Though the number of processes may be unbounded, we will assume that there
is a fixed nonempty finite set N = {a, b, c, . . .} of interface names (or, simply,
interfaces). When we consider pipelines or rings, then we may set N = {a, b}
where a refers to the right neighbor and b to the left neighbor of a process. A
pipeline with four processes is depicted in Figure 3.1 and a ring with five processes
in Figure 3.2. They allow a process to execute an action a!, which sends a message
to its right neighbor, or an action b!, which sends a message to the left neighbor.
The complementary receive actions are a? and b?, which receive from the right and
left neighbor, respectively. For grids, we will need two more names, which refer to
adjacent processes above and below (Figure 3.4). Ranked trees require an interface
for each of the (boundedly many) children of a process, as well as pointers to the
father process (see Figure 3.3 for a binary tree).
Actually, we assume that two processes p and q that are adjacent in a topology
communicate through channels. More precisely, there are two FIFO channels between p and q, one for messages sent from p to q, and one for messages from q to
p. Thus, an edge p a b q in the topology shall be understood as
a!
p
b?
q
a?
b!
.
As every process can only talk directly to |N | neighbors, topologies are structures
of bounded degree. This excludes star topologies or unranked trees, but takes into
account such natural cases as pipelines, ranked trees, rings, and grids.
40
b
a
a
a
b
a
b
a
a
b
a
b
a
a
b
a
a
b
c
c
d
d
Figure 3.3: Tree topology
a
b
d
b
c
a
b
c
d
a
b
c
d
d
a
b
c
c
b
a
Figure 3.2: Ring
d
a
b
b
c
b
b
b
Figure 3.1: Pipeline
a
d
c
a
b
c
a
b
d
d
c
a
b
d
Figure 3.4: Grid
Definition 3.1 (topology). A topology over N is a pair T = (P,
) where P
is the nonempty finite set of processes and
✓ P ⇥ N ⇥ N ⇥ P is the edge
relation. We write p a b q for (p, a, b, q) 2
, which signifies that the a-interface
of p points to q, and the b-interface of q points to p. We require that, whenever
p a b q, the following hold:
(a) p 6= q
(b) q
b a
(there are no self loops),
p
(adjacent processes are mutually connected), and
0
0
(c) for all a0 , b0 2 N and q 0 2 P such that p a b q 0 , we have a = a0 iff q = q 0
(an interface points to at most one process, and two distinct interfaces point
to distinct processes).
}
The automata and logics that we are going to define will not be able to distinguish
isomorphic topologies. An exception is Section 3.5, where topologies are fixed.
Example 3.2. In this chapter, the focus will be on the specific topology classes
that are illustrated in Figures 3.1–3.4. We define pipelines and rings as topologies
over {a, b}, and binary trees and grids as topologies over {a, b, c, d}. However, whenever convenient, we assume that pipelines and rings are topologies over {a, b, c, d}
as well, though they do not make use of c and d. Note that several of the results
in this chapter actually extend to more general classes.
• A pipeline is a topology over {a, b} of the form ({1, . . . , n},
) where n 2
and
= { (i, a, b, i + 1) | i 2 [n 1]} [ { (i + 1, b, a, i) | i 2 [n 1]}. Note
that a pipeline is uniquely determined by its number of processes.
41
• A ring is like a pipeline where the endpoints are glued together. I.e., it is a
topology of the form ({1, . . . , n},
) where n 3 and the edge relation is
given by
= { (i, a, b, (i mod n) + 1) | i 2 [n]} [ { ((i mod n) + 1, b, a, i) |
i 2 [n]} . Like a pipeline, since we do not distinguish isomorphic topologies,
a ring is uniquely determined by its number of processes. A ring forest is
simply a disjoint union of rings.
• A (binary-)tree topology is a topology (P,
) over {a, b, c, d} where P is a
⇤
prefix-closed subset of {0, 1} such that |P |
2, and
= { (u, a, b, u0) |
u, u0 2 P } [ { (u0, b, a, u) | u, u0 2 P } [ { (u, c, d, u1) | u, u1 2 P } [
{ (u1, d, c, u) | u, u1 2 P } .
• A grid is a topology of the form ([m] ⇥ [n],
=
[
[
[
{ ((i, j), a, b, (i, j + 1))
{ ((i, j + 1), b, a, (i, j))
{ ((i, j), c, d, (i + 1, j))
{ ((i + 1, j), d, c, (i, j))
|
|
|
|
) where max{m, n}
i 2 [m]
i 2 [m]
i 2 [m
i 2 [m
and j 2 [n 1]}
and j 2 [n 1]}
1] and j 2 [n]}
1] and j 2 [n]} .
2 and
}
3.2 Message Sequence Charts
As already mentioned, we do not consider an interleaving semantics but rather
keep a maximum of information about the type of an event and the causal dependencies between events. One possible behavior of a system is depicted as a message
sequence chart (MSC). An MSC consists of a topology (over the given set of interfaces) and a set of events, which represent the communication actions executed
by a system. Events are located on the processes and connected by process and
message edges, which reflect causal dependencies.
Definition 3.3 (MSC). A message sequence chart (MSC) over N is a tuple M =
(P,
, E, C, ⇡) where
• (P,
) is a topology over N ,
• E is the nonempty finite set of events,
• C ✓ E ⇥ E is the acyclic edge relation, which is partitioned into Cproc and
Cmsg , and
• ⇡ : E ! P determines the location of an event in the topology; for p 2 P , we
def
let Ep = {e 2 E | ⇡(e) = p}.
We require that the following hold:
S
• Cproc is a union p2P Cp where each Cp ✓ Ep ⇥ Ep is the direct-successor
relation of some total order on Ep ,
42
Cproc
>
<
>
>
:
b?
a!
a!
b?
M1
b
s1 a
Cproc
8
>
>
<
>
>
:
b?
b s2 a
b s2 a
b s3 a
M2
b s3 a
b
s1 a
b s2 a
b
s1 a
b s2 a
bs a
2
Cmsg
a!
b?
a!
Figure 3.5: Two MSCs with a ring topology
M2
• bthere
is a partition E = E ]a E? such that Cmsg induces a bijection between
s1 a b s2 a b s1 a b s2 a b s!2
E! and E? ,
Mittwoch, 3. Dezember 14
• for all (e, f ) 2 Cmsg , there are a, b 2 N such that ⇡(e)
cation is restricted to adjacent processes), and
a b
⇡(f ) (communi-
• for all (e, f ), (e0 , f 0 ) 2 Cmsg such that ⇡(e) = ⇡(e0 ) and ⇡(f ) = ⇡(f 0 ), we
have e C⇤proc e0 iff f C⇤proc f 0 (FIFO).
}
def
Let ⌃ = {a! | a 2 N } [ {a? | a 2 N }. We define a mapping `M : E ! ⌃ that
associates
with each event of the MSC M the type of action that it executes: for
Mittwoch, 3. Dezember
14
(e, f ) 2 Cmsg and a, b 2 N such that ⇡(e) a b ⇡(f ), we set `M (e) = a! and
`M (f ) = b?.
The set of MSCs (over the fixed set N ) is denoted by MSC. Like for topologies,
we usually do not distinguish isomorphic MSCs.
Example 3.4. Two example MSCs are depicted in Figure 3.5. As we will see,
they represent executions of a token-ring protocol. In particular, their underlying
topologies are rings (of size 5). The process labelings s1 , s2 , s02 , s3 can be ignored
for the moment. The events are the endpoints of message arrows, which represent
Cmsg . Process edges are implicitly given; they connect successive events located on
the same (top-down) process line. Finally, the mapping `M is illustrated on a few
events.
}
3.3 Underapproximation Classes
Similarly to multiply nested words (Chapter 2), we will run quickly into undecidability and non-complementability without imposing any restriction on the behavior of a parameterized system. There are several natural restrictions for MSCs.
The simplest one is to assume a class of topologies T among the topologies over
N (e.g., the class of pipelines, trees, rings, grids, or rings) and to restrict ourselves
to the set MSCT , defined as the set of MSCs (P,
, E, C, ⇡) 2 MSC such that
(P,
) 2 T.
43
3.3.1 Channel-Bounded MSCs
Some of our (positive) results will deal with systems that have (existentially) kbounded channels, for some k 1 (see, e.g, [LM04, GKM06, GKM07]). Intuitively,
an MSC is k-bounded if it can be scheduled in such a way that, along the execution, there are never more than k messages in each channel. Formally, we define
boundedness via linearizations. A linearization of an MSC M = (P,
, E, C, ⇡)
⇤
is any total order ✓ E ⇥ E satisfying C ✓ . Then, is called k-bounded if, for
all f 2 E and all p, q 2 P and a, b 2 N such that p a b q, we have |{e 2 E | e
f , ⇡(e) = p, and `M (e) = a!}| |{e 2 E | e f , ⇡(e) = q, and `M (e) = b?}|  k.
In other words, in any prefix of , there are no more than k pending messages, in
every “channel” (p, q).
Definition 3.5 (k-bounded MSC). For a natural number k
said to be k-bounded if it has some k-bounded linearization.
1, an MSC is
}
A stronger restriction is that of rendez-vous communication, where a send event
and its receive event are executed simultaneously. We then say that an MSC is
0-bounded.
Definition 3.6 (0-bounded MSC). An MSC (P,
, E, C, ⇡) 2 MSC is called
1
0-bounded if the graph (E, C [ Cmsg ), does not admit a cycle that uses at least one
Cproc -edge.
}
Intuitively, message edges in a 0-bounded MSC can always be drawn horizontally.
For k 2 N, the set of k-bounded MSCs is denoted MSC9k . Note that, for all k 2 N,
we have MSC9k $ MSC9k+1 . The MSCs from Figure 3.5 are both 0-bounded.
3.3.2 Context-Bounded MSCs
We will see that even restricting to pipelines and 0-bounded MSCs will not be
enough to obtain a “robust” class of parameterized automata that is closed under complementation. Inspired by the notion of a context bound in the realm of
multiply nested words (cf. Chapter 2), we now introduce context-bounded MSCs.
Actually, the efficiency of distributed algorithms and protocols is usually measured
in terms of two parameters: the number n of processes, and the number k of
contexts. It is, therefore, natural to bound any of these parameters in order to turn
parameterized communicating automata (as defined below) into a robust model.
Note that bounding the number of processes is known as “cut-off” (see, e.g., [EN03,
AKR+ 14]). A context, on the other hand, restricts communication of a process to
patterns such as “send a message to each neighbor and receive a message from each
neighbor”. The trade-off between n and k is often in favor of a smaller k, so that
it is all the more justified to impose a bound on k.
Here, we actually consider more relaxed definitions where, in every context, a
process may perform an unbounded number of actions. In an interface-context, for
example, a process can send and receive an arbitrary number of messages to/from a
44
fixed neighbor. A second context-type definition allows for arbitrarily many sends
to all neighbors, or receptions from a fixed neighbor.
Recall that ⌃ = {a! | a 2 N } [ {a? | a 2 N }. A word w 2 ⌃⇤ is called an
•
•
•
•
(s r)-context if w 2 {a! | a 2 N }⇤ or w 2 {a? | a 2 N }⇤ ,
(s1+r1)-context if w 2 {a! , b?}⇤ for some a, b 2 N ,
(s r1)-context if w 2 {a! | a 2 N }⇤ or w 2 {b?}⇤ for some b 2 N ,
intf-context if w 2 {a! , a?}⇤ for some a 2 N .
The context type s1 r (w 2 {a!}⇤ for some a 2 N or w 2 {b? | b 2 N }⇤ ) is dual
to s r1, and we only consider the latter case. All results for s r1 presented below
are valid for s1 r.
Let k
1 be a natural number and ct 2 {s r, s1+r1, s r1, intf} be a context
type. We say that w 2 ⌃⇤ is (k, ct)-bounded if there are w1 , . . . , wk 2 ⌃⇤ such that
w = w1 ·. . .·wk and wi is a ct-context, for all i 2 [k]. To lift this definition to MSCs
M = (P,
, E, C, ⇡), we define the projection M |p 2 ⌃⇤ of M to a process p 2 P .
Let e1 Cproc e2 Cproc . . . Cproc en be the unique process-order preserving enumeration
of all events of Ep . We let M |p = `M (e1 )`M (e2 ) . . . `M (en ). In particular, Ep = ;
implies M |p = ".
Definition 3.7 ((k, ct)-bounded MSC [BGS14]). Let k 1 be a natural number and ct 2 {s r, s1+r1, s r1, intf}. We say that an MSC M = (P,
, E, C, ⇡) 2
MSC is (k, ct)-bounded if M |p is (k, ct)-bounded, for all p 2 P .
}
Let MSC(k,ct) denote the set of all (k, ct)-bounded MSCs.
Example 3.8. As every process in the MSCs from Figure 3.5 executes only two
events, both MSCs are (2, ct) bounded, for all context types ct. Now, consider
the set L of MSCs depicted in Figure 3.10 on page 55, where we assume that the
dotted areas can be arbitrarily large. Contexts are depicted as rectangles. Every
MSC in L is (3, s r1)-bounded: processes 1, 2, and 3 use three contexts, while 4
and 5 use only one context. However, for all k 1, there is an MSC in L that is not
(k, intf)-bounded: process 4 switches unboundedly often between sending through
a and sending through b.
}
3.4 Communicating Automata
Next, we introduce our automata model of a parameterized message-passing system, which can be run on any topology over the fixed set N . The idea is that each
process can execute actions of the form (a!, m), which emits a message m through
interface a, or (a?, m), which receives m from interface a.
Given a topology T = (P,
) over N , an automaton will actually run identical
def
subautomata on processes of the same type. We define type : P ! 2N by type(p) =
{a 2 N | there are b 2 N and q 2 P such that p a b q}. Thus, type(p) contains
those interfaces of p that are connected to some other process in T (we assume
that T is clear from the context).
45
Definition 3.9 (CA). A communicating automaton (CA) over the set of interface names N is a tuple A = (S, ◆, Msg, , F) where
• S is the finite set of states,
• ◆ : 2N ! S assigns to every possible type in a topology an initial state,
• Msg is a nonempty finite set of messages,
•
✓ S ⇥ (⌃ ⇥ Msg) ⇥ (S \ ◆(2N )) is the transition relation, and
• F is the acceptance condition (which will be specified below).
}
def
Here, ◆(2N ) = {◆(A) | A ✓ N }. Thus, processes do not return to initial states.
This is a purely technical issue which allows us to consider several automata models
in a unifying framework.
Let M = (P,
, E, C, ⇡) be an MSC. A run of A on M will be a mapping
⇢ : E ! S satisfying some requirements. As in the previous chapter, ⇢(e) can be
seen as the local state of ⇡(e) after executing e. To determine when ⇢ is a run, we
define another mapping, ⇢ : E ! S, denoting the source states of a transition:
whenever f Cproc e, we let ⇢ (e) = ⇢(f ); moreover, if e is Cproc -minimal, we let
⇢ (e) = ◆(type(⇡(e))). With this, we say that ⇢ is a run of A on M if, for all
(e, f ) 2 Cmsg , there are a, b 2 N and a message m 2 Msg such that ⇡(e) a b ⇡(f ),
(⇢ (e), (a!, m), ⇢(e)) 2 , and (⇢ (f ), (b?, m), ⇢(f )) 2 .
Whether a run is accepting or not depends on the variant of CA and, in particular,
its acceptance condition. Those will be defined below. In any case, acceptance will
depend on the mapping M,⇢ : P ! S that collects, for every process p the final
state M,⇢ (p) in which p terminates. Formally, M,⇢ (p) = ◆(type(p)) if Ep = ;.
Otherwise, M,⇢ (p) = ⇢(e) where e is the Cproc -maximal event from Ep .
Example 3.10. The CA Atoken over {a, b} from Figure 3.6 describes a simplified
version of the IEEE 802.5 token-ring protocol. In the protocol, a single binary
token, which can carry a value from m 2 {0, 1}, circulates in a ring. Initially, the
token has value 1. A process that has the token may emit a message and pass it
along with the token to its a-neighbor. We will abstract the concrete message away
and only consider the token value. Since all processes in a ring have type {a, b},
we have a single initial state s0 for all of them, i.e., ◆({a, b}) = s0 . Whenever a
process receives the token from its b-neighbor, it will forward it to its a-neighbor,
while
• leaving the token value unchanged (the process then ends in s2 or s3 ), or
• changing its value from 1 to 0, to signal that the message has been received
(the process then ends in s02 ).
We did not define the acceptance condition formally yet. However, note that it
will allow us to require that (i) there is exactly one process that terminates in
46
a
a
b
c
(b?, 1)
◆
(a!, 1)
(a!, 0)
(b?, 0)
(b?, 1)
F
F
⌘
⌘
c
d
statea sb1 and (ii) no process terminates in a state from {t1 , t2 , t3 } (i.e., no process
c
d halfways).
stops
With this condition, MSC M1 from Figure 3.5 will be accepted
a Atoken , awhile M2 is not accepted, since it requires two processes to end in s1 ,
by
d
c
b
b
which
violates
the acceptance condition.
}
(b?, 0)
(a!, 1)
a
b
(a!, 0)
s1
t1
(b?, 0)
s1
(a!, 1)
s2
s0
(b?, 1)
(a!, 1)
s2
(a!, 0)
s2
t2
s3
(b?, 0)
s4
t3
8u. (u) 2 {s1 , . . . , s4 }
(a!, 0)
s3
Figure 3.6: The PCA Atoken
F ^ 9=1 u. (u) = s1
3.5 Fixed-Topology Communicating Automata
Recall that we aim at Büchi-Elgot-Trakhtenbrot Theorems for (parameterized)
CAs. To put the parameterized setting into perspective, we will first recall corresponding results in the case of fixed topologies.
Definition 3.11 (fixed-topology CA). Let T = (P,
) be a topology over N .
A fixed-topology CA over T is a CA A = (S, ◆, Msg, , F) over N where the
acceptance condition F is a set of mappings from P into S.
}
Let A = (S, ◆, Msg, , F) be a fixed-topology CA over T = (P,
). Moreover,
suppose M = (P,
, E, C, ⇡) 2 MSC{T } is an MSC (with topology T ) and ⇢ :
E ! S a run of A on M . Then, ⇢ is accepting if M,⇢ 2 F. By L(A), we denote
the set of MSCs M = (P,
, E, C, ⇡) 2 MSC{T } such that there is an accepting
run of A on M .
Once we fix a topology T = (P,
) (over N ), a corresponding MSO logic comes
naturally. In particular, it features a predicate p(x) to express that some event is
executed by process p 2 P .
Definition 3.12. For a topology T = (P,
given by the grammar
), the syntax of the logic MSOT is
' ::= p(x) | a!(x) | a?(x) | x Cproc y | x Cmsg y | x = y | x 2 X |
¬' | ' _ ' | 9x.' | 9X.'
where p 2 P and a 2 N .
}
As usual, we let EMSOT denote the set of formulas of the form 9X1 . . . 9Xn .'
such that ' does not contain any second-order quantification. For an MSC M =
47
(P,
, E, C, ⇡) 2 MSC{T } , a formula ' 2 MSOT , and an interpretation I of
variables, the satisfaction relation M |=I ' (M |= ' if ' is a sentence) is defined as
expected. For example, M |=I p(x) if ⇡(I(x)) = p, M |=I a!(x) if `M (I(x)) = a!,
and M |=I x Cmsg y if I(x) Cmsg I(y). Note that, since the topology is fixed, a!(x)
and a?(x) can actually be expressed using the predicates of the form p(x) and
x Cmsg y. We let L(') denote the set of MSCs M 2 MSC{T } such that M |= '.
We are now ready to present some previously known logical characterizations of
fixed-topology CAs. Indeed, fixed-topology CAs over T and the logic EMSOT are
expressively equivalent:
Theorem 3.13 ([BL06]). Let T be a topology and L ✓ MSC{T } . The following
statements are equivalent:
1. There is a fixed-topology CA A over T such that L(A) = L.
2. There is a sentence ' 2 EMSOT such that L(') = L.
Proof (sketch). The direction 1. ) 2. is standard.
The proof of the transformation 2. ) 1. is based on Hanf’s normal form, which
states that any first-order formula (over structures of bounded degree) is logically
equivalent to a boolean combination of the form “there are at least n occurrences of
neighborhood N of radius r” (for a uniform r 2 N, which depends on the formula)
[Han65, Lib04]. Here, the neighborhood of an event comprises all events that have
distance at most r in the Gaifman graph (E, C [ C 1 ) of the underlying MSC. As
MSCs are structures of bounded degree (every event has at most three neighbors),
there are, up to isomorphism, only finitely many such neighborhoods. Now, to
prove 2. ) 1., one first constructs a (fixed-topology) CA that “recognizes” neighborhoods of radius r. Another fixed-topology CA then counts these neighborhoods
up to some threshold and determines, based on Hanf’s normal form, if the original
formula is satisfied.
It was shown in [BK12] that the construction of Hanf’s normal form can be done
in triply exponential time. This implies that Theorem 3.13 is actually effective and
that the translation of a formula into an automaton takes only elementary time.
Theorem 3.14 (cf. [BK12]). The transformation of a fixed-topology CA from
a formula as stated in Theorem 3.13 is effective and can be carried out in elementary time.
It was also shown in [BL06] that fixed-topology CAs over the pipeline T with two
processes are not closed under complementation so that MSOT is strictly more
expressive. However, Genest, Kuske and Muscholl showed that the assumption of
existentially bounded channels yields a robust model of message-passing systems:
48
Theorem 3.15 ([GKM06]). Let T be a topology, k 2 N, and L ✓ MSC{T } \
MSC9k . The following statements are equivalent:
• There is a fixed-topology CA A over T such that L(A) = L.
• There is a sentence ' 2 MSOT such that L(') = L.
In particular, it was shown in [GKM06] that there is a fixed-topology CA A over
T such that L(A) = MSC{T } \ MSC9k .
Note that, when restricting MSCs further to universally-k-bounded MSCs (all linearizations are k-bounded), one gets a similar logical characterization and a class
of CAs that is determinizable [HMK+ 05]. On the other hand, determinizability
fails in the case of existentially bounded channels [GKM07].
3.6 Parameterized Communicating Automata (PCAs)
It is our aim to lift the above logical characterizations of fixed-topology CAs to
a parameterized setting. Recall that, when we fixed a topology, the acceptance
condition could directly speak about all of its processes (Definition 3.11). However,
when we have to cope with a class of topologies, this is no longer possible. It is
then natural to specify acceptance in terms of a formula from a tailored monadic
second-order logic, which scans the final configuration reached by a system: the
underlying topology together with the local final states in which the processes
terminate. If S is the finite set of such local states, the formula thus defines a set
of S-labeled topologies, i.e., structures (P,
, ) where (P,
) is a topology and
: P ! S. The corresponding logic tMSO(S) is given by the grammar
F ::= u
a b
v | (u) = s | u = v | u 2 U | ¬F | F _ F | 9u.F | 9U.F
where a, b 2 N , s 2 S, u and v are first-order variables (interpreted as processes),
and U is a second-order variable (ranging over sets of processes). As usual, we
assume an infinite supply of variables. Satisfaction (P,
, ) |= F for an Slabeled topology T and a sentence F 2 tMSO(S) is defined as expected.
Definition 3.16 (PCA). A parameterized communicating automaton (PCA, for
short) over N is a CA A = (S, ◆, Msg, , F) over N where the acceptance condition
F is a sentence from tMSO(S).
}
Let A = (S, ◆, Msg, , F) be a PCA over N , let M = (P,
, E, C, ⇡) be any MSC
over N , and suppose ⇢ : E ! S is a run of A on M . Recall that the mapping
M,⇢ : P ! S yields, for each process p, the state in which p terminates. With
this, ⇢ is accepting if (P,
, M,⇢ ) |= F. By L(A), we denote the set of MSCs M
such that there is an accepting run of A on M .
A (syntactic) subclass of PCAs is obtained when the acceptance condition is only
allowed to count terminal states of non-idle processes, up to some threshold:
49
Definition 3.17 (weak PCA). A PCA A = (S, ◆, Msg, , F) is called weak if
the acceptance condition F is a boolean combination of sentences of the form
9 n u. (u) = s where n 2 N and s 2 S \ ◆(2N ).
}
Here, the formula 9
(u) = s is an abbreviation of
^
^
9u1 , . . . , un .
ui 6= uj ^
(ui ) = s
n u.
1i<jn
1in
which says that there are at least n processes that terminate in state s. As s 62
◆(2N ), these processes have to be non-idle, meaning that they execute at least one
event. Thus, unlike a PCA, a weak PCA is not allowed to talk about the topology
but only about the events of an MSC. In particular, it cannot express that “the
topology has five processes” but only “five processes are non-idle”. This is a priori
weaker, but also makes sense, since it reflects the intuition that a PCA accepts
behaviors rather than topologies.
The set of PCAs over N is denoted by PCAN , the class of weak PCAs over N by
wPCAN .
Example 3.18. We resume Example 3.10 on page 46 describing the CA Atoken
over {a, b}. To get a PCA, it remains to specify an appropriate acceptance condition
F. Recall that we required that (i) exactly one process terminates in s1 and (ii)
no process terminates in a state from {t1 , t2 , t3 }. Formally, this is achieved using
^
F = 9 1 u. (u) = s1 ^ ¬9 2 u. (u) = s1 ^
¬9 1 u. (u) = ti .
1i3
As F is a boolean combination of statements of the form 9 n u. (u) = s with
s 6= s0 , the PCA Atoken is actually a weak PCA. Consider again the MSCs M1 and
M2 from Figure 3.5 on page 43. We have M1 2 L(Atoken ) and M2 62 L(Atoken ). }
3.7 Logical Characterizations of PCAs
Since an MSC contains two types of varying objects, namely processes and events,
it is natural to introduce a two-valued logic to reason about them. Accordingly,
we have variables u, v, w, . . . and U, V, W, . . . to range over processes and sets of
processes, respectively, as well as variables x, y, z, . . . and X, Y, Z, . . ., ranging over
events and sets of events, respectively.
Definition 3.19. The syntax of the logic MSON (over the fixed set of interface
names N ) is given as follows:
' ::= a!(x) | a?(x) | a 2 type(⇡(x)) | x Cproc y | x C⇤proc y | x ⇠ y | x Cmsg y |
x = y | x 2 X | ¬' | ' _ ' | 9x.' | 9X.' |
::= x@u | u
a b
v | u = v | u 2 U | 9u.' | 9U.'
where a, b 2 N .
}
50
All predicates are more or less self-explanatory apart from x ⇠ y, saying that
x and y are located on the same process, and x@u, saying that x is located on
u. Note that ⇠ can be expressed in terms of C⇤proc , since x ⇠ y is equivalent to
(x C⇤proc y) _ (y C⇤proc x). However, some of our results hold for logic fragments
that include ⇠ but discard C⇤proc . For the same reason, we include the predicate
a 2 type(⇡(x)), which is actually expressible using the formulas of type .
There are indeed several natural fragments of MSON . When we do not allow
formulas of the form , then we obtain weak MSO, denoted wMSON . The fragment
wEMSON of wMSON consists of the ( -free) formulas of the form 9X1 . . . 9Xn .'
where ' does not contain any second-order quantification. We will also refer to the
fragment wEMSON (Cproc , ⇠, Cmsg ) of wEMSON where the predicate C⇤proc is not
allowed.
Let us formally define when M |=I ' for an MSC M = (P,
' 2 MSON , and an interpretation function I, which maps
, E, C, ⇡), a formula
• a first-order event variable x to an event I(x) 2 E,
• a first-order process variable u to a process I(u) 2 P ,
• a second-order event variable X to a set I(X) ✓ E, and
• a second-order process variable U to a set I(U ) ✓ P .
We proceed by induction, but consider only some cases:
• M |=I a!(x)
if `M (I(x)) = a!,
• M |=I a?(x)
if `M (I(x)) = a?,
• M |=I a 2 type(⇡(x)) if a 2 type(⇡(I(x))),
• M |=I x ⇠ y
if ⇡(I(x)) = ⇡(I(y)),
• M |=I x@u
if ⇡(I(x)) = I(u),
• M |=I u
a b
v
if I(u)
a b
I(v).
The other formulas are interpreted as expected. When ' is a sentence, i.e., it does
not have free variables, then satisfaction does not depend on the interpretation
function so that we write M |= ' instead of M |=I '. In that case, the set of
MSCs M 2 MSC such that M |= ' is denoted by L(').
Example 3.20. We continue the token-ring protocol from Examples 3.10 and 3.18.
Recall that N = {a, b}. We would like to express that there is a process that emits
a message and gets an acknowledgment that results from a sequence of forwards
through interface a. We first let fwd(x, y) ⌘ x a b y ^ 9z.(x Cproc z Cmsg y) where
x a b y is a shorthand for 9u.9v.(x@u ^ y@v ^ u a b v). It is well known that
the transitive closure of the relation induced by fwd(x, y) is definable in MSON ,
too. Let fwd+ (x, y) be the corresponding formula. It expresses that there is a
51
sequence of events leading from x to y that alternately takes process and message
edges, hereby following the causal order. With this, the desired formula is
' = 9x, y, z.(x Cproc y ^ x Cmsg z ^ x
a b
z ^ fwd+ (z, y)) 2 MSON .
Consider again Figure 3.5 on page 43. We have M1 |= ' and M2 6|= ', as well as
L(Atoken ) ✓ L(').
}
We now turn to logical characterizations of PCAs. We first consider weak PCAs,
which turn out to be closely related to wEMSON . However, note that restrictions
on the logic and the topologies are necessary [Bol14]: over N = {a, b, c, d}, there
is a weak first-order formula without C⇤proc and ⇠ that is not realizable by a weak
PCA on the class of ring forests. Thus, we are left with a small margin for positive
results. However, the following theorem is an analogon to Theorem 3.13, which
was stated there for fixed topologies:
Theorem 3.21 ([Bol14]). Suppose N = {a, b, c, d}. Let T be any of the following topology classes: pipelines, trees, grids, or rings. Moreover, let L ✓ MSCT .
The following statements are equivalent:
• There is A 2 wPCAN such that L(A) \ MSCT = L.
• There is ' 2 wEMSON (Cproc , ⇠, Cmsg ) such that L(') \ MSCT = L.
We leave open if Theorem 3.21 holds for the full logic wEMSON . The answer
is positive iff Theorem 3.13 still holds when we include the predicate C⇤proc , but
this is an open problem. However, we can safely include C⇤proc when we restrict to
existentially bounded MSCs:
Theorem 3.22 ([Bol14]). Suppose N = {a, b, c, d}. Let T be any of the following topology classes: pipelines, trees, grids, or rings. Moreover, let k 2 N and
def
L ✓ M = MSCT \ MSC9k . The following statements are equivalent:
• There is A 2 wPCAN over N such that L(A) \ M = L.
• There is a sentence ' 2 wEMSON such that L(') \ M = L.
Proof (sketch). Like in the proof of Theorem 3.13, we make use of a normal form
of first-order logic. However, due to the predicate C⇤proc , the structures we consider
do not have bounded degree anymore. Fortunately, there is a normal form due
to Schwentick and Barthelmann [SB99] that does not rely on that assumption
(like Gaifman’s normal form which, however, seems to be more difficult to apply in
52
⌈r/2⌉ = 2
a
b
a
b
a
b
a
⌈r/2⌉ = 2
a
b
b
a
b
a
b
e
▹∗
▹∗proc , ▹msg =
▹msg , ∼
▹proc , ▹msg
Figure 3.7: Neighborhoods of e with radius r = 3
our setting). Their normal form essentially (modulo existential quantification) says
that all events satisfy a formula ' that only talks about a neighborhood of a certain
radius r. Unlike in Hanf’s normal form, the size of a neighborhood is unbounded.
This is illustrated in Figure 3.7 for several signatures. However, every neighborhood
spans over a bounded sub-topopoloy (unless we include a predicate C⇤ in the logic
that refers to the full partial order). Topologies, in turn, are structures of bounded
degree so that there are finitely many such sub-topologies. For sub-topology T ,
using Theorem 3.15 on page 49 by Genest, Kuske, and Muscholl, we can construct
a fixed-topology CA AT that evaluates ' on T . The weak PCA we are looking for
now glues these finitely many fixed-topology CAs together. More precisely, every
process guesses a sub-topology T and starts AT . To make sure that the guess was
correct, it communicates it to any communication partner. As neighbors also have
to start their own fixed-topology CA, processes have to simulate several of them
simultaneously. However, a weak PCA is not able to detect topology neighborhoods
by itself. It needs some help from the underlying class of topologies. Informally
speaking, we require that paths that form a cycle in some topology form a cycle
everywhere, in any other topology from the underlying class. This is satisfied by
the classes of pipelines, grid, and trees. For rings, some additional work is needed to
get the result. Actually the theorem holds for any unambiguous class of topologies
(see [Bol14] for details). Note that this proof works similarly for Theorem 3.21.
Let us now turn to (full) PCAs. Again, there is no chance to get an MSO characterization even when we restrict to 0-bounded and certain context-bounded MSCs.
Actually, PCAs are not closed under complementation:
Theorem 3.23 ([BGK14]). Suppose N = {a, b}. Let ct 2 {s r, s1+r1}, let
def
T be the set of pipelines, and set M = MSCT \ MSC90 \ MSC(1,ct) . There is
A 2 PCAN such that, for all A0 2 PCAN , we have L(A0 ) \ M 6= M \ L(A).
53
Proof (sketch). Even under the context-type restrictions s r and s1+r1, MSCs over
pipelines can encode grid-like structures (cf. Figures 3.8 and 3.9). For grids, there
have been similar results, showing that graph acceptors are not complementable
[Tho96, MST02]. By the grid encoding, the non-complementability result can be
transferred to our setting.
a
b
a
b
a
b
a
b
a
b
a
b
a
b
a
b
Figure 3.9: Grid encoding for s r
Figure 3.8: Grid encoding for s1+r1
The next theorem does not rely on a particular class of topologies. However, recall
that we fixed some finite set N of interface names.
Theorem 3.24 ([BGK14]). Let k
1 and ct 2 {s r1, intf}. Moreover, let
def
L ✓ M = MSC90 \ MSC(k,ct) . The following statements are equivalent:
• There is A 2 PCAN such that L(A) \ M = L.
• There is a sentence ' 2 MSON such that L(') \ M = L.
Proof (sktech). Again, the construction of a formula from an automaton is rather
standard, though we have to cope with a two-sorted logic.
The other direction is by induction on the structure of the formula. In particular, negation translates to complementability of (context-bounded) PCAs, which is
the key technical issue in the proof. Complementation relies on a disambiguation
construction. From the given PCA A, one constructs another PCA that is unambiguous and equivalent to A on MSC(k,ct) . Unambiguous here means that every
MSC comes with exactly one run (accepting or not). The main idea for this construction is to divide the events of an MSC from MSC(k,ct) into zones, as illustrated
in Figure 3.10. We only illustrate the more complicated case ct = s r1 (the case
intf is similar). An interval is a set of successive (i.e., not interrupted) events that
belong to one and the same process. Then, a zone consists of an interval of successive send events of one process, together with the corresponding receive events,
as long as the latter form intervals themselves on the corresponding processes.
One can show that, for each MSC in MSC(k,s r1) , there is a zone partitioning such
that every process traverses at most K = k · (|N |2 + 2|N | + 1) different zones. The
crucial point is now that, on MSC(k,s r1) , zones can be computed deterministically
by a PCA. During that procedure, a sending process will maintain a summary of all
possible “global transitions” induced by a zone, by simulating all possible transitions
54
1
a
b
2
a
b
3
a
b
4
a
b
5
..
.
..
.
..
.
..
.
..
.
..
.
..
.
..
.
..
.
..
.
Figure 3.10: s r1-Contexts and Zones
of the receiving processes. The acceptance condition will then check in terms of a
tMSO formula whether the summaries can be glued together towards an accepting
run. Once we have an unambiguous PCA, complementation is accomplished just
by negating the acceptance condition.
Interestingly, determinization procedures have been used to obtain complementability and MSO characterizations for context-bounded and scope-bounded multipushdown automata [LMP10a, LNP14a] (cf. Chapter 3). A pattern that we share
with these approaches is that of computing summaries in a deterministic way.
Overall, however, we have to use quite different techniques, which is due to the
fact that, in our model, processes evolve asynchronously.
3.8 Model Checking
From the previous section, we conclude that context-bounded PCAs with rendezvous communication form a robust automata model: they are closed under all
boolean operations and enjoy a logical characterization in terms of an unrestricted
MSO logic. But there is more: the emptiness problem is decidable for some topology classes, which is stated in the following theorem.
Theorem 3.25 ([BGS14]). Suppose N = {a, b, c, d}. Let ct 2 {s r1, intf},
and let T be any of the following topology classes: pipelines, trees, or rings. The
following problem is decidable:
Instance:
Question:
A 2 PCAN ; k
1
L(A) \ MSCT \ MSC90 \ MSC(k,ct) 6= ; ?
Proof (sketch). The proof relies on the zone partitioning that we used for Theorem 3.24. Consider the case of pipelines. Roughly speaking, we construct a finite
automaton (running over pipelines) that guesses a run of the given PCA in terms
55
of zones and state summaries. As we can assume that every process traverses a
bounded number of zones, we actually deal with a finite automaton over a finite
alphabet. The finite automaton can now check if its guess actually corresponds
to an accepting run. Thus, it accepts all those pipelines that allow for a contextbounded run of the given PCA. Emptiness of that exponentially big (in k) finite
automaton can be checked in Pspace. Accordingly, for tree topologies, we construct a tree automaton. In the case of rings, we essentially use the construction for
pipelines. However, some additional work is needed to rule out cyclic dependencies
that would contradict the run definition.
Over pipelines and rings, the decision problem from Theorem 3.25 is Pspacecomplete when the acceptance condition is presented as a finite automaton (instead
of an MSO formula). Over trees, it is Exptime-complete when the acceptance
condition is given in terms of a tree automaton. In all cases, we assume that the
context bound k is encoded in unary.
From Theorems 3.24 and 3.25, we deduce that context-bounded model checking of
PCAs against MSO properties is decidable:
Theorem 3.26 ([BGS14, BGK14]). Let ct 2 {s r1, intf} and let T be any of
the following topology classes over N = {a, b, c, d}: pipelines, trees, or rings. The
following problem is decidable:
Instance:
Question:
A 2 PCAN ; ' 2 MSON ; k
1
L(A) \ MSCT \ MSC90 \ MSC(k,ct) ✓ L(') ?
Let us conclude by comparing the above model-checking result with related work.
Maybe the most interesting feature in view of previous results on model checking
parameterized systems is that our MSO logic is unrestricted, while other approaches
rely on dropping temporal operators such as the next modality from LTL [EN03,
AJKR14, JB14]. However, as demonstrated in Example 3.20, next modalities make
a lot of sense once the behavior of a parameterized system is modeled as a partial
order or MSC rather than a string.
In general, there are several orthogonal ways to get decidability of model checking
in a parameterized setting. For example, nonemptiness of PCAs becomes decidable
over rings when tokens are unary (i.e., |Msg| = 1) [EN03, AJKR14]. Note that
our token-ring protocol from Example 3.10 on page 46 assumes a binary token
Msg = {0, 1}, for which nonemptiness is already undecidable in general. However,
as we have seen, we obtain decidability when restricting to a bounded number of
contexts. Point-to-point communication yields an undecidable model, too, unless
processes (i) choose a communication partner nondeterministically [AKR+ 14], (ii)
use broadcasting [DSZ10, DSZ11], (iii) restrict the topologies in a suitable manner
(e.g., bounded depth) [Mey08, EGM13, AKR+ 14], or (iv) bound the number of
contexts (our approach).
56
3.9 Perspectives
The results presented in this chapter can only be called a first step towards a
“regular” language theory of parameterized concurrent systems.
Note that Theorems 3.25 and 3.26 apply to concrete “regular” classes of topologies, namely pipelines, trees, and rings. It will be interesting to see if this can
be extended to classes of bounded tree/clique width. This is the approach from
[AKR+ 14], though for topologies of unbounded degree.
One should actually try to extend our results to automata models that take account
of communication topologies of unbounded degree such as star topologies or, more
generally, unranked trees. Such automata may be equipped with registers so that
processes can remember, at any time, some of their neighbors [DST13, BCH+ 13]
(see also Chapters 4 and 5). Moreover, many distributed protocols are able to
exchange and compare process identifiers. Actually, the logic MSON is so powerful
that it is capable of tracing back the origin of a pid in such a system. This will
possibly allow us to verify also leader-election protocols and alike. Similar ideas
will be applied in Chapter 4 to automata with registers, which can store values
from an infinite alphabet (such as pids) and compare them for equality.
Finally, there seem to be close connections with the area of distributed algorithms,
which should be explored further. Indeed, there are algorithms that evaluate a
given process architecture wrt. logical specifications [GW10] or construct a map of
an anonymous graph [CDK10], which is similar to what a (weak) PCA does in the
proof of Theorem 3.22.
57
58
CHAPTER
4
Dynamic Sequential Systems
Like the previous chapter, this chapter also deals with systems whose behavior
involves an unbounded number of processes. However, the systems modeled here
may be considered dynamic, since there will be a feature that allows them to
create fresh process identifiers. We will first consider sequential systems, meaning
that there is a global control to which all participating processes have access.
Consequently, our system model will have one single state space. A study of a
model of dynamic concurrent systems can be found in Chapter 5.
An action that is performed by a dynamic sequential system is taken from an
infinite alphabet. The alphabet is the cartesian product of a finite part A, denoting
the type or label of an action, and an infinite part D, denoting the pid of the process
executing the action. In a more general setting, the elements of the infinite set are
often referred to as data values. As our systems are sequential, a behavior may be
described as a string over A⇥D, which is commonly called a data word. Similarly to
words over a distributed (visibly) alphabet (cf. Chapter 2), which induce nesting
relations, a data word comes with a natural graph structure in terms of edges
between two successive word positions as well as between two position that carry
the same data value.
Recall that we are interested in modeling systems as automata. The study of automata over infinite alphabets has its origins in the seminal work by Kaminski and
Francez [KF94]. Their finite-memory automata (more commonly called register
automata) equip finite-state machines with registers in which data values can be
stored and be reused later. Register automata preserve some of the nice properties of finite automata: they have a decidable emptiness problem and are closed
under union and intersection. On the other hand, they are neither determinizable
nor closed under complementation. There are actually several variants of register
59
automata, which all have the same expressive power but differ in the complexity
of decision problems (see [DL09]).
Subsequently, many more automata models have been considered, aiming at a
good balance between expressivity and decidability [NSV04, DL09, KZ10, BL10].
Motivated by the study of logics over data words, Bojanczyk et al. introduced
data automata [BDM+ 11]. While register automata are a one-way model, data
automata read a data word twice: a finite-state transducer first scans its projection
onto A, outputting a word of equal length over some finite alphabet A0 . A second
device, a finite automaton over A0 , then checks every projection to positions with
the same data value.
Data automata are expressively equivalent to the one-way model of class memory
automata [BS10]. A class memory automaton does not use registers either. Instead,
when reading a word position with, say, some data value d, it can access the state
taken after executing the prior position with d. This is very much in the spirit
of nested-word automata where, at some return position, one can access the state
(or, stack symbol) associated with the corresponding call (cf. Chapter 2). We come
back to that issue in Section 4.3. Class memory automata [BS10] feature a notion
of freshness. A transition of a class memory automaton explicitly allows a data
value to be declared as fresh, i.e., to occur for the first time in the history of a
run. Freshness is an important notion in programming languages when names are
supposed to be unique. In our context, it is crucial, since we require that processes
are identifiable by unique pids. Freshness for register automata was introduced in
[Tze11]. Like ordinary register automata, fresh-register automata preserve some of
the good properties of finite automata. However, they inherit negative results of
register automata and have, for example, an undecidable universality/equivalence
problem.
In this chapter, we are aiming at a robust automata model for data words, i.e., a
model that is closed under complementation (in a restricted sense), has a decidable
equivalence problem, and enjoys a logical characterization.1 Moreover, it should
be suitable as a model of dynamic sequential systems. In particular, this means
that we are looking for a one-way model so that (variants of) data automata,
alternating automata, or pebble automata are out of the question. In Section 4.1,
we propose session automata. Like register automata, session automata are a
syntactical restriction of fresh-register automata, but in an orthogonal way. While
register automata drop the feature of global freshness (referring to the history)
and keep a local variant (referring to the registers), session automata discard local
freshness, while keeping the global one. In Section 4.3, we will then look at a more
general model that unifies several of the above-mentioned models but still comes
with a solution to the realizability problem.
1
In [BHLM14], we were also aiming at an application in the context of automata learning,
where decidability of equivalence is crucial. However, this issue is beyond the scope of the thesis.
60
4.1 (Fresh-)Register Automata and Session Automata
Let, in the following, A be a finite alphabet and D be an infinite alphabet. We
will assume that A and D are disjoint.
For a set R , we let R ~ = {r~ | r 2 R }, R = {r | r 2 R }, and R " = {r" |
r 2 R }. Below, we introduce automata with a set of registers R . Transitions will
be labeled with an element from R ~ [ R [ R " , which determines a register and
the operation that is performed on it. More precisely, r~ writes a globally fresh
value into r, r writes a locally fresh value into r, and r" uses the value that is
currently stored in r. For ⇡ 2 R ~ [ R [ R " , we let reg(⇡) = r if ⇡ 2 {r~ , r , r" }.
Similarly,
8
~
>
<~ if ⇡ is of the form r
op(⇡) =
if ⇡ is of the form r
>
:
" if ⇡ is of the form r" .
def
def
def
Definition 4.1 (fresh-register automaton, cf. [Tze11]). A fresh-register automaton (FRA) over A and D is a tuple A = (S, R , ◆, F, ) where
• S is the nonempty finite set of states,
• R is the nonempty finite set of registers,
• ◆ 2 S is the initial state,
• F ✓ S is the set of final states, and
•
is a finite set of transitions.
A transition is a tuple of the form (s, (a, ⇡), s0 ) where s, s0 2 S are the source and
target state, respectively, a 2 A, and ⇡ 2 R ~ [ R [ R " . We call (a, ⇡) the
transition label.
}
(a,⇡)
For a transition (s, (a, ⇡), s0 ) 2 , we also write s
! s0 . When taking this
0
transition, the automaton moves from state s to state s and reads a symbol of the
form (a, d) 2 A ⇥ D. If ⇡ = r" 2 R " , then di is the data value that is currently
stored in r. If ⇡ = r~ 2 R ~ , then d is some globally fresh data value that has not
been read in the whole history of the run; d is then written into register r. Finally,
if ⇡ = r 2 R , then d is some locally fresh data value that is currently not stored
in the registers; it will henceforth be stored in register r.
Let us formally define the semantics of A. A configuration is a triple = (s, ⌧, U )
where s 2 S is the current state, ⌧ : R * D is a partial mapping denoting the
current register assignment, and U ✓ D is the set of data values that have been
used so far. We say that is final if s 2 F . As usual, we define a transition relation
(a,d)
over configurations and let (s, ⌧, U ) ===) (s0 , ⌧0 , U 0 ), where (a, d) 2 A ⇥ D, if there
is a transition s
(a,⇡)
! s0 such that the following hold:
61
8
>
<d = ⌧(reg(⇡)) if op(⇡) = "
1. d 62 ⌧(R )
if op(⇡) =
>
:
d 62 U
if op(⇡) = ~ ,
2. dom(⌧0 ) = dom(⌧) [ {reg(⇡)} and U 0 = U [ {d},
3. ⌧0 (reg(⇡)) = d and ⌧0 (r) = ⌧(r) for all r 2 dom(⌧) \ {reg(⇡)}.
A run of A on a data word (a1 , d1 ) . . . (an , dn ) 2 (A ⇥ D)⇤ is a sequence
(a1 ,d1 )
0
====)
(a2 ,d2 )
1
(an ,dn )
====) . . . ====)
n
for suitable configurations 0 , . . . , n with 0 = (◆, ;, ;). The run is accepting if
⇤
n is a final configuration. The language L(A) ✓ (A ⇥ D) of A is then defined
as the set of data words for which there is an accepting run. Note that FRAs
cannot distinguish between data words that are equivalent up to permutation of
data values: for w, w0 2 (⌃ ⇥ D)⇤ , we write w ⇡ w0 if w = (a1 , d1 ) . . . (an , dn ) and
w0 = (a1 , d01 ) . . . (an , d0n ) such that, for all i, j 2 [n], we have di = dj iff d0i = d0j . For
instance, (a, 4)(b, 2)(b, 4) ⇡ (a, 2)(b, 5)(b, 2). We call L ✓ (⌃ ⇥ D)⇤ a data language
if, for all w, w0 2 (⌃ ⇥ D)⇤ such that w ⇡ w0 , we have w 2 L iff w0 2 L. In
particular, L(A) is a data language for every FRA A.
We obtain natural subclasses of fresh-register automata when we restrict the transition labels (a, ⇡) 2 A ⇥ (R ~ [ R [ R " ) in the transitions.
Definition 4.2 (register automaton [KF94]). A register automaton (RA) is
an FRA (S, R , ◆, F, ) where every transition label is from A ⇥ (R [ R " ).
}
Definition 4.3 (session automaton [BHLM14]). A session automaton (SA)
is an FRA (S, R , ◆, F, ) where every transition label is from A ⇥ (R ~ [ R " ). }
The following example will demonstrate that RAs and SAs are incomparable wrt.
expressive power, and that FRAs are strictly more expressive than both restrictions.
Example 4.4. Consider the set of labels A = {req, ack} and the set of data values
D = N, representing an infinite supply of pids. We model a simple (sequential)
system where processes can approach a server and make a request, indicated by
req, and where the server can acknowledge these requests, indicated by ack. More
precisely, (req, d) 2 A ⇥ D means that the process with pid d performs a request,
which is acknowledged when the system executes (ack, d). Consider the following
data languages:
• L1 = “there are at most two open requests at a time”
• L2 = “a process waits for acknowledgment before its next request”
• L3 = “every acknowledgment is preceded by a request”
• L4 = “requests are acknowledged in the order they are received”
62
• L5 = “every process makes at most one request”
• L6 = “all requests take place before all acknowledgments”
Figure 4.1 depicts an RA that recognizes the data language L1 \ . . . \ L4 . That
is, it models a server that can store two requests at a time and will acknowledge them in the order they are received). For example, it accepts the data word
(req, 8)(req, 4)(ack, 8)(req, 3)(ack, 4)(req, 8)(ack, 3)(ack, 8). Note that a transition
label containing ri _ ri" actually refers to two transitions, one using ri and one
using ri"
(req, r2⊙ ∨ r2↑ )
s12
(ack, r1↑ )
(req, r1⊙ ∨ r1↑ )
s1
(req, r2⊙ ∨ r2↑ )
s0
(ack, r1↑ )
(ack, r2↑ )
s2
(ack, r2↑ )
s21
(req, r1⊙ ∨ r1↑ )
Figure 4.1: Register automaton A4.1 for L1 \ . . . \ L4
When, in addition, we want to guarantee that every process makes at most one
request, we need the freshness operator. Figure 4.1 depicts the SA A4.2 recognizing
L1 \ . . . \ L5 . We obtain A4.2 from A4.1 by replacing any occurrence of ri _ ri" with
ri~ . While (req, 8)(req, 4)(ack, 8)(req, 3)(ack, 4)(req, 8)(ack, 3)(ack, 8) is no longer
contained in L(A4.2 ), (req, 8)(req, 4)(ack, 8)(req, 3)(ack, 4)(ack, 3) is still accepted.
Note that L(A4.2 ) is indeed not recognizable by a (non-fresh) RA.
s12
(ack, r1↑ )
(req, r2! )
(req, r1! )
s1
(req, r2! )
s0
(ack, r1↑ )
(ack, r2↑ )
s2
(ack, r2↑ )
s21
(req, r1! )
Figure 4.2: Session automaton A4.2 for L1 \ . . . \ L5
To separate FRAs from RAs and SAs, simply consider data language L5 . Clearly,
it is not recognized by any RA nor by any SA, while an FRA recognizing it is given
in Figure 4.3 (where r is the only register).
63
(req, r! )
(ack, r⊙ )
(ack, r↑ )
s0
Figure 4.3: Fresh-register automaton A4.3 for L5
However, it is easily seen that there is no FRA that recognizes L3 \ . . . \ L6 . To
address this weakness of FRAs, we will later introduce an automata model that
actually captures that language (Section 4.3).
}
From Example 4.4, we deduce the following:
Corollary 4.5. FRAs are strictly more expressive than both RAs and SAs, while
SAs and RAs are incomparable wrt. expressive power.
4.2 Closure Properties of Session Automata
Closure properties of SAs and decidability will be established by means of a normal
form of a data word. The crucial observation is that, in an SA, data equality
in a data word only depends on the transition labels that generate it. In this
section, we suppose that the set of registers of a session automaton is of the form
R = {1, . . . , k} so that we can assume a natural total ordering on it. In the
def
following, let ⌦ = (N>0 )~ [ (N>0 )" .
Suppose an SA reads a sequence u = (a1 , ⇡1 ) . . . (an , ⇡n ) 2 (A ⇥ ⌦)⇤ of transition
labels. We call u a symbolic word. It “produces” a data word iff a register is
initialized before it is used. Formally, we say that u is well-formed if, for all
positions j 2 [n] with op(⇡j ) = ", there is i 2 [n] such that ⇡i = reg(⇡j )~ . Let
WF ✓ (A ⇥ ⌦)⇤ be the set of all well-formed words. With u 2 (A ⇥ ⌦)⇤ , we can
associate an equivalence relation ⇠u ✓ [n] ⇥ [n], letting i ⇠u j iff
• reg(⇡i ) = reg(⇡j ), and
• i  j and there is no position k 2 {i + 1, . . . , j} such that ⇡k = reg(⇡i )~ , or
j  i and there is no position k 2 {j + 1, . . . , i} such that ⇡k = reg(⇡i )~ .
If u is well-formed, then the data values of any data word w = (a1 , d1 ) . . . (an , dn )
that is “accepted via” u conform with the equivalence relation ⇠u . That is, we have
di = dj iff i ⇠u j. We call w a concretization of u. Let data(u) denote the set of all
concretizations of u. This
is extended to sets L ✓ (A ⇥ ⌦)⇤ of well-formed words,
def S
and we set data(L) = u2L \ WF data(u). Note that, here, we first filter the wellformed words before applying the operator. Now, let A = (S, R , ◆, F, ) be an SA.
In the obvious way, we may consider A as a finite automaton over A ⇥ (R ~ [ R " ).
We then obtain a regular language Lsymb (A) ✓ (A⇥⌦)⇤ . It is not difficult to verify
that L(A) = data(Lsymb (A)).
64
Though we have a symbolic representation of data languages recognized by SAs,
it is in general difficult to compare their languages, since quite different symbolic words may give rise to the same concretizations. For example, we have
data((a, 1~ )(a, 1~ )(a, 1" )) = data((a, 1~ )(a, 2~ )(a, 2" )). However, we can associate, with every data word, a (symbolic) normal form, producing the same set
of concretizations. Intuitively, the normal form uses the first (according to the
natural total order) register whose current data value is not used anymore. In the
above example, (a, 1~ )(a, 1~ )(a, 1" ) would be in symbolic normal form: the data
value stored at the first position in register 1 is not reused so that, at the second
position, register 1 has to be overwritten. For that reason, (a, 1~ )(a, 2~ )(a, 2" ) is
not in symbolic normal form. In contrast, (a, 1~ )(a, 2~ )(a, 2" )(a, 1" ) is in normal
form, since register 1 is read at the end of the word.
Let w = (a1 , d1 ) . . . (an , dn ) 2 (A ⇥ D)⇤ be a data word and d 2 {d1 , . . . , dn }.
By first(d), we denote the position j where d occurs for the first time, i.e., such
that dj = d and there is no k < j such that dk = d. Accordingly, we define
last(d) to be the last position where d occurs. We define the symbolic normal
def
form snf (w) = (a1 , ⇡1 ) . . . (an , ⇡n ) 2 (A ⇥ ⌦)⇤ of w inductively, along with sets
Free(i) ✓ N indicating the registers that are reusable after executing position
i 2 [n]. Setting Free(0) = N>0 , we define
⇡i =
(
min(Free(i 1))~
reg(⇡first(di ) )"
if i = first(di )
otherwise ,
and
8
>
<Free(i
Free(i) = Free(i
>
:
Free(i
1) \ min(Free(i
1) [ {reg(⇡i )}
1)
1)) if i = first(di ) 6= last(di )
if i = last(di )
otherwise .
We canonically extend snf to data languages L, setting snf (L) = {snf (w) | w 2 L}.
Example 4.6. Let w = (a, 8)(b, 4)(a, 8)(c, 3)(a, 4)(b, 3)(a, 9). Then, we have that
snf (w) = (a, 1~ )(b, 2~ )(a, 1" )(c, 1~ )(a, 2" )(b, 1" )(a, 1~ ).
}
w
∈ data(u)
∈ (A × D)∗
snf
data
u
= snf (w)
∈ (A × Ω)∗
Figure 4.4: Relation between data words and symbolic normal forms
The relation between the mappings data and snf is illustrated in Figure 4.4. One
easily verifies that L = data(snf (L)), for all data languages L. Therefore, equality
of data languages reduces to equality of their symbolic normal forms:
Lemma 4.7. Let L and L0 be data languages. Then, L = L0 iff snf (L) = snf (L0 ).
65
Of course, symbolic normal forms may use any number of registers so that the set
of symbolic normal forms is a language over an infinite alphabet as well. However,
given an SA A, the symbolic normal forms that represent the language L(A) do
with a bounded (i.e., finite) number of registers. Indeed, an important notion
in the context of SAs is the bound of a data word. Intuitively, the bound of
w = (a1 , d1 ) . . . (an , dn ) 2 (A ⇥ D)⇤ is the minimal number of registers that an
SA needs to execute w. Or, in other words, the bound is the maximal number of
overlapping scopes, where a scope is an interval delimiting the occurrences of one
particular data value. Formally, a scope of w is any set I ✓ {1, . . . , n} such that
there is d 2 {d1 , . . . , dn } with I = {first(d), . . . , last(d)}. Given a natural number
k 1, we say that w is k-bounded if every position i 2 {1, . . . , n} is contained in at
most k scopes. One can verify that a data word is k-bounded iff snf (w) is a word
def
over the alphabet A ⇥ ⌦k where ⌦k = {1, . . . , k}~ [ {1, . . . , k}" .
Let DWk denote the set of B-bounded data words. A data language L is k-bounded
if L ✓ DWk . Note that the set of all data words is not k-bounded, for any k.
Theorem 4.8 ([BHLM14]). Let A = (S, R , ◆, F, ) be an SA with R =
{1, . . . , k}. Then, L(A) is k-bounded. Moreover, snf (L(A)) is a regular language
over the finite alphabet A ⇥ ⌦k . A corresponding automaton can be effectively
computed. Its number of states is at most exponential in k and linear in |S|.
Using Theorem 4.8, we obtain the following closure properties of SA:
Theorem 4.9 ([BHLM14]). We have the following closure properties:
• SAs are closed under union and intersection.
• SAs are complementable for k-bounded data words: Given an SA A with k
registers, there is an SA B with k registers such that L(B) = DWk \ L(A).
Note that, while FRA are not complementable wrt. the set of all data words, they
are complementable for k-bounded data words. The reason is that, given an FRA
A, one can construct an SA B such that L(B) = L(A) \ DWk .
4.3 Class Register Automata
Example 4.4 on page 62 revealed a certain weakness of FRAs concerning their
expressiveness and, therefore, modeling power. In this section, we will present an
automata model that captures the language L3 \ . . . \ L6 in question. Despite
its expressive power (which entails undecidability of its emptiness problem), it
66
has a natural mode of operation, taking into account the local control flow of
a process. Moreover, it captures previously defined automata (as well as others
from the literature) as special cases. Our model is named class register automata,
since it combines register automata and class memory automata [BS10]. Though
basic decision problems are undecidable for that model, we will later see that its
expressive power lies between EMSO and MSO logic so that it is still, in a sense
“regular”.
Similarly to nested words and message sequence charts (cf. Chapters 2 and 3), our
new automata model will access a graph structure that we add on top of a data
word. Actually, we associate with a data word w = (a1 , d1 ) . . . (an , dn ) 2 (A ⇥ D)⇤
two relations, C+1 ✓ [n] ⇥ [n] and C 1 ✓ [n] ⇥ [n]. We let C+1 = {(i, i + 1) | i 2
[n 1]}. Moreover, for all i, j 2 [n], we let i C 1 j iff i < j, di = dj , and there is
no k 2 {i + 1, . . . , j 1} such that di = dk . Thus, i C 1 j denotes the fact that i
and j are successive positions carrying the same data value.
Example 4.10. In Figure 4.5, we illustrate the two relations associated with a
data word w over ⌃ = {a, b} and D = N. Straight edges represent the relation
C+1 , while curved edges represent C 1 .
}
⊕1
1
+1
w = a8
2
3
4
5
6
7
8
a
5
a
3
a
4
b
3
b
4
b
5
b
4
Figure 4.5: The relations C+1 and C
1
A run of a class register automaton on a data word w = (a1 , d1 ) . . . (an , dn ) proceeds
as follows. Like an FRA, it comes with a finite set of registers, say R . Like in an
FRA, data values may be written into these registers and be reused later. The
main difference is that, when reading a position j in the data word, the automaton
can access the contents of some register r both
• at position i with i C+1 j (denoted r ), and
• at position i with i C
1
j (denoted r ).
This looks all the more reasonable, since C 1 reflects the control flow of one single
process. Moreover, it is in the spirit of nested-word automata (cf. Chapter 2).
def
def
So, let R = {r | r 2 R } and R = {r | r 2 R }. Actually, a transition
will be constrained by a guard, which is a boolean combination of atoms ✓1 = ✓2
where ✓1 , ✓2 2 {c} [ R [ R . Here, c stands for “current data value”. The
set of guards (over R ) is denoted by Guard (R ). When executing a transition,
registers may obtain new data values: either the data value currently read, or one
of the data values previously stored in registers, or a “guessed” data value: any
67
data value that is in the `-neighborhood (as defined below) of the given position,
where ` 2 N is a radius. This is specified by an update, which is a partial function
⌫ : R * R [ R [ N. The set of updates is denoted by Upd (R ).
Definition 4.11 (CRA [Bol11]). A class register automaton (CRA) over A and
D is a tuple A = (S, R , , ◆, F, G) where
• S is the nonempty finite set of states,
• R is the nonempty finite set of registers,
• ◆ 2 S is the initial state,
• F ✓ S is the set of local final states,
• G ✓ S is the set of global final states, and
•
✓ 2S ⇥ S ⇥ Guard (R ) ⇥ A ⇥ Upd (R ) ⇥ S is the finite set of transitions. }
We call A non-guessing if every update is a partial function ⌫ : R * R [R [{0}.
This means that each “guess” is restricted to the current data value.
Again, we define the semantics of A via the notion of a configuration. Here, a
configuration is a pair = (s, ⌧) where s 2 S is the current state and ⌧ : R * D
is a partial mapping denoting the current register assignment. We do not need to
keep track of the set of used data values, since a run will be defined as a mapping
of word positions to configurations. As before, configuration is final if s 2 F . It
is initial if s = ◆ and ⌧ is undefined everywhere.
Let (a1 , d1 ) . . . (an , dn ) 2 (A ⇥ D)⇤ be a data word. For i 2 [n] and ` 2 N, let D` (i)
denote the set {dj | j 2 [n] has distance at most ` from i in the (undirected) graph
([n], C+1 [ C 1 [ C+11 [ C 11 ) of those data values that are in the `-neighborhood
of i in w. A run of A is a sequence of configurations 0 1 . . . n satisfying some
properties. First, 0 has to be initial. Suppose i = (si , ⌧i ). Then, we require
that, for all i 2 [n], there are a guard 2 Guard (R ), an update ⌫ 2 Upd (R ), and
T ✓ S such that
• (T, si
1,
, ai , ⌫, si ) 2
,
• if there is no j 2 [n] such that jC
for all r 2 R ,
• jC
1
1 i,
then we have both T = ; and ⌫(r) 62 R
i implies sj 2 T , for all j 2 [n] (note that there is at most one such j),
• guard
is evaluated to true on the basis of its atoms: ✓1 = ✓2 is true iff
val i (✓1 ) = val i (✓2 ) 2 D where
– val i (c) = di ,
– val i (r ) = ⌧i
1 (r)
(i.e., if ⌧i
1 (r)
68
is undefined, then so is val i (r )), and
– val i (r ) =
(
⌧j (r)
if j C 1 i
undefined if there is no j such that j C
1
i
(note that, in the latter two cases, the valuation may be undefined and,
therefore, not be in D so that ✓1 = ✓2 is not satisfied),
8
>
⌧i (r) = ⌧i 1 (r̂) if ⌫(r) = r̂
>
>
>
<⌧ (r) = ⌧ (r̂)
if j C 1 i and ⌫(r) = r̂
i
j
• for all r 2 R , we have
>⌧i (r) 2 D` (i)
if ⌫(r) = ` 2 N
>
>
>
:⌧ (r) undefined if ⌫(r) undefined.
i
The run is accepting if sn 2 G and, for all i 2 [n] such that i is C 1 -maximal,
si 2 F . As usual, the set of data words that admit an accepting run of A is
denoted by L(A). Clearly, L(A) is a data language.
Example 4.12. Recall from Example 4.4 on page 62 that there is no FRA recognizing the language defined as the intersection of the following data languages over
A = {req, ack} and D = N:
• L3 = “every acknowledgment is preceded by a request”
• L4 = “requests are acknowledged in the order they are received”
• L5 = “every process makes at most one request”
• L6 = “all requests take place before all acknowledgments”
Formally, the language in question is
L = {w 2 (A ⇥ D)⇤ | w ⇡ (req, 1) . . . (req, n)(ack, 1) . . . (ack, n) for some n 2 N} .
For example, (req, 8)(req, 5)(req, 3)(req, 4)(ack, 8)(ack, 5)(ack, 3)(ack, 4) 2 L.
The (non-guessing) CRA A4.6 from Figure 4.6 recognizes L, i.e., L(A4.6 ) = L. We
have F = {s2 } and G = {s0 , s2 }, i.e., s2 is the only local final state (indicated by the
outgoing arrow), and s0 and s2 are the global final states. The updates are written
in the form of an assignment. In a run, state s1 is taken after executing requests,
while s2 is assigned to acknowledgment positions. Moreover, the CRA has two
registers, r1 and r2 . Suppose it reads (req, d1 ) . . . (req, dn )(ack, dn+1 ) . . . (ack, d2n ).
In the request phase, the current data values are respectively stored in register
r1 . Moreover, r2 takes the data values at the C+1 -predecessor position. When
entering the second phase (going from s1 to s2 ), the guard r2 6= r2 will ensure that
position n + 1 is the unique C 1 -predecessor position where r2 is undefined. Thus,
d1 = dn+1 . Then, the loop in s2 makes sure that every position n + i with i 2
matches the request position where the contents of r2 equals that of r1 at position
n + i 1. Since s2 is the only local final state, every request has to be followed by
a matching acknowledgment. Altogether, we have d1 . . . dn = dn+1 . . . d2n .
}
69
⎛
s0
∅ ; true
⎜
⎜ (req, c)
⎛
⎞ ⎜
⎝ r1 := c
∅ ; true
⎜
⎟
r2 := r1−
⎝ (req, c) ⎠
r1 := c
s1
⎞
⎞
⎛
{s1 } ; r2⊖ = r1−
⎟
⎟
⎟
⎟⎛
⎞⎜
(ack, c)
⎠
⎠
{s1 } ; r2⊖ ̸= r2⊖ ⎝
⎜
⎟
r1 := c
(ack, c)
⎝
⎠
r1 := c
s2
Figure 4.6: (Non-guessing) class register automaton A4.6
Note that some interesting automata models over data words can be identified as
a special case of CRAs.
• A class memory automaton (CMA) [BS10] is a CRA A = (S, R , , ◆, F, G)
such that, for all transitions (T, s, , a, ⌫, s0 ) 2 , we have that = true and
⌫ is undefined everywhere. In other words, registers are not used at all, while
states of C 1 can still be accessed.
• A quasi-FRA is a non-guessing CRA A = (S, R ,
and, for all transitions (T, s, , a, ⌫, s0 ) 2 ,
1. T = S or T = ;,
2. if T = S, then (;, s, , a, ⌫, s0 ) 2
3. for all atoms ✓1 = ✓2 occurring in
, ◆, F, G) such that F = S
,
, we have ✓1 , ✓2 2 {c} [ R , and
4. for all registers r 2 R , ⌫(r) is undefined or contained in R
[ {0}.
Condition 1. implies that the concrete state at a C 1 -predecessor cannot be
accessed anymore. However, one may specify that a data value is globally
fresh (T = ;). By Condition 2., one cannot say that a data value is “nonfresh”. Conditions 3. and 4. prevent the automaton from accessing registers
at C 1 -predecessors.
• A quasi-RA is a quasi-FRA A = (S, R , , ◆, F, G) such that, for all transitions
(T, s, , a, ⌫, s0 ) 2 , both (;, s, , a, ⌫, s0 ) and (S, s, , a, ⌫, s0 ) are contained
in . In other words, it cannot be enforced anymore that a data value is
globally fresh.
Actually, many variants of register automata have been defined in the literature. In
the configuration of an RA, a register assignment is always an injective mapping,
which is relaxed in quasi-RAs. As a consequence, the latter use guards to compare
data values. Quasi-RAs are similar to the model presented in [CHJ+ 11] in the
context of automata learning. That model also uses guards to compare register
contents. Transitions in the model from [Seg06], on the other hand, are guarded
by a subset R of registers. The meaning is that R is exactly the set of registers
that contain the data value that is currently read. Though syntactically different,
those models are expressively equivalent, and the same holds for quasi-FRAs and
70
FRAs. Note that, however, the complexity of decision problems do not carry
over. For example, nonemptiness for quasi-RAs is PSPACE-complete, while it
is NP-complete for RAs (cf. Section 4.5). The expressive power of the various
automata models over data words (and logics as presented in the next section) is
illustrated in Figure 4.7. In particular, it was shown in [BS10] that CMAs are
strictly more expressive than RAs. The fact that CMAs are strictly weaker than
CRAs is witnessed by the language from Example 4.12. In fact, a simple pumping
argument shows that this language cannot be recognized by a CMA.
In the next section, we will establish that the expressive power of CRAs is between
EMSO and MSO logic (with a predicate for comparing data values for equality),
solving the realizability problem for EMSO logic. Note that, in the article [Bol11],
we introduced CRAs in a more general framework, allowing some flexibility in the
choice of the signature (rather than only C+1 and C 1 ). This allowed us to treat
dynamic communicating automata, which will be introduced in Chapter 5, as a
special case.
4.4 Automata vs. Logic over Data Words
We will now consider MSO logic over data words. It is quite natural to extend
classical MSO logic over words with a binary predicate x ⇠ y to express that
the data values at positions x and y coincide. Alternatively, one may include a
predicate x C 1 y relating two successive positions with the same data values. In
MSO logic, one will be expressible in terms of the other.
Definition 4.13. The set dMSO(A, D) of data MSO formulas (over A and D) is
built from the following grammar:
' ::= a(x) | x C+1 y | x C 1 y | x = y | x 2 X |
¬' | '1 _ '2 | 9x.' | 9X.'
where a 2 A, x, y are first-order variables, and X is a second-order variable.
}
The semantics of dMSO(A, D) is as expected. Let us only pick some cases: for a
data word w = (a1 , d1 ) . . . (an , dn ) 2 (A ⇥ D)⇤ and positions i, j 2 [n], we write
• w, i |= a(x) if ai = a,
• w, i, j |= x C+1 y if i + 1 = j, and
• w, i, j |= x C
1
y if di = dj and, for all k 2 {i+1, . . . , j
1}, we have di 6= dk .
For a sentence ' 2 dMSO(A, D), we let L(') denote the set of data words w such
that w |= '. Like for automata, L(') is a data language.
We will often write dMSO instead of dMSO(A, D), since we fixed A and D.
The predicate x ⇠ y is defined as an abbreviation for (x C⇤ 1 y)_(y C⇤ 1 x), where,
in turn, C⇤ 1 is the dMSO-definable reflexive transitive closure of C 1 .
71
The fragments dFO and dEMSO are defined as expected. Moreover, dEMSO2 will
denote the fragment of dEMSO that makes use of only two first-order variables.
Again, we may explicitly mention all the binary predicates (apart from x = y and
x 2 X) that we allow. For example, the logic dEMSO(C+1 , C 1 , ⇠) includes the binary predicate ⇠, which is per se not expressible in dEMSO = dEMSO(C+1 , C 1 ).
Example 4.14. We give a dFO formula ' over A = {req, ack} and D = N such
that L(') equals {w 2 (A⇥D)⇤ | w ⇡ (req, 1) . . . (req, n)(ack, 1) . . . (ack, n) for some
n 2 N} from Example 4.12. Recall that there is a CRA recognizing L('), but no
CMA and no FRA can accept L('). We define ' as the conjunction '1 ^ . . . ^ '4
where
'1 = 8x.9y.(req(x) ! ack(y) ^ x C
1
y)
says that every request is acknowledged (before the same process sends another
request),
'2 = 8x.9y.(ack(x) ! req(y) ^ y C
1
x)
says that every acknowledgment has a corresponding request,
'3 = ¬9x.9y.(ack(x) ^ req(y) ^ x C+1 y)
says that all requests precede all acknowledgments, and
✓
req(x) ^ req(y) ^ x C+1 y
'4 = 8x.8y.
0
0
! 9x .9y . ack(x0 ) ^ ack(y 0 ) ^ x C 1 x0 C+1 y 0 ^ y C
1
y0
◆
guarantees that two (successive) requests are acknowledged in the order they were
received.
}
There have been some logical characterizations of automata over data words. A
prominent one considers data automata [BDM+ 11], which were shown to be expressively equivalent to CMAs in [BS10].
Theorem 4.15 ([BDM+ 11]). CMAs are expressively equivalent to the data logic
dEMSO2 (C+1 , C 1 , ⇠, <).
A logical characterization of RAs has been obtained in [CLP11] via a semantical
restriction:
Definition 4.16 ([CLP11]). The set rgMSO of rigid guarded MSO formulas
contains any dMSO sentence of the form 9X1 . . . 9Xm .' where ' is built from
the grammar
' ::= a(x) | ↵(x, y, X1 , . . . , Xm ) ^ x ⇠ y | x = y | x 2 X |
¬' | '1 _ '2 | 9x.' | 9X.'
with ↵ being generated by the same grammar (without quantification over the variables X1 , . . . , Xm ) such that min(x, y) is uniquely determined from both max(x, y)
and X1 , . . . , Xn (in the expected manner).
}
72
Theorem 4.17 ([CLP11]). RAs are expressively equivalent to the logic rgMSO.
Further automata models and logics have been considered in the literature. For
example, a logical characterization has been established for weak data automata,
which are a semantical restriction of data automata and expressively equivalent to
the logic dEMSO2 (C+1 , ⇠) [KST12]. It seems that a logical characterization for
FRAs has not been considered so far.
Now, we turn to SAs and CRAs. We first identify a fragment of dMSO(A, D) that
is expressively equivalent to SAs.
Definition 4.18. A session MSO (sMSO) formula is a dMSO sentence of the form
9X1 . . . 9Xm .(↵ ^ 8x.8y.(x ⇠ y $
))
where ↵ and are from dMSO(C+1 ), i.e., they are classical MSO formulas containing neither C 1 nor ⇠.
}
Example 4.19. The sentence
'1 = 8x.8y.(x ⇠ y $ x = y)
is an sMSO formula. Its semantics L('1 ) is the set of data words in which every
data value occurs at most once. Moreover,
'2 = 8x.8y.(x ⇠ y $ true)
is an sMSO formula, and L('2 ) is the set of data words where all data values
coincide. As a last example, let
'3 = 9X.8x.8y.(x ⇠ y $ (¬9z.z 2 X ^ (x < z  y _ y < z  x))).
Then, L('3 ) is the set of 1-bounded data words. Intuitively, the variable X represents the set of word positions where a fresh data value is introduced.
}
Theorem 4.20 ([BHLM14]). Let L ✓ (A ⇥ D)⇤ . The following are equivalent:
• There is an SA A such that L(A) = L.
• There is a sentence ' 2 sMSO such that L(') = L.
Proof (sketch). The construction of a formula from an SA follows the classical
scheme: by means of existential second-order quantifiers, we guess an assignment
of transitions to word positions. In the first-order part ↵, it is then verified if this
assignment corresponds to an accepting run. Moreover, formula checks if data
73
equality in the data word at hand corresponds to the symbolic word produced by
the automaton.
For the other direction, the crucial observation is that every sMSO formula defines
a k-bounded data language where we can choose k to be the number of states of a
deterministic finite (word) automaton that recognizes the models of (where free
variables are handled by an extension of the alphabet A).
Thanks to the closure of SA under complementation for bounded data words, we
can establish another logical characterization in terms of full dMSO logic. However,
we have to restrict in advance to the class of k-bounded data words, for some k.
Recall that this is in the spirit of the logical characterizations in Chapters 2 and
3 where, similarly, one has to constrain the domain of nested words and MSCs to
obtain logical characterizations in terms of MSO logic.
Theorem 4.21. Let k
tively) equivalent:
1 and L ✓ DWk . The following statements are (effec-
• There is an SA A such that L(A) = L.
• There is a sentence ' 2 dMSO such that L(') = L.
This implies that, considered over k-bounded data words, the formalisms dMSO
logic, CRA, FRA, and SA all have the same expressive power, while RAs are
strictly weaker. Next, we turn to the relation between logic and CRAs. Recall that,
basic decision problems being undecidable, we were interested in the realizability
problem. It is solved positively for dEMSO specifications:
Theorem 4.22 ([Bol11]). For every sentence ' 2 dEMSO, there is a CRA A
such that L(A) = L(').
Proof (sketch). We adopt the technique from [BL06] (Theorem 3.13 on page 48).
The idea is to construct an automaton that computes, in a data word, the sphere
around a given event. The theorem then follows by Hanf’s normal form. Using
registers, the technique from [BL06] can indeed be adapted to deal with data words.
Note that the guessing mode is necessary to be able to anticipate neighborhoods
before verifying them.
Moreover, one can show that, despite their expressive power, CRAs recognize only
data languages that are definable in dMSO:
74
Theorem 4.23 ([Bol11]). For every CRA A, there is a sentence ' 2 dMSO
such that L(') = L(A).
Figure 4.7 summarizes and compares the expressive power of the various formalisms
considered in this chapter. Here, ! means “strictly included” and 99K means
“included” (strict inclusion being an open problem).
dMSO
CRA
dEMSO(▹+1 , ▹⊕1 )
CMA = dEMSO2 (▹+1 , ▹⊕1 , ∼, <)
FRA
RA = rgMSO
SA = sMSO
Figure 4.7: A hierarchy of automata and logics over data words
4.5 Decision Problems
Let us turn to decision problems, namely nonemptiness, inclusion, and model checking. For a class C 2 {FRA,RA,SA,CRA,CMA} of automata over data words and
a logic fragment L, we consider the following problems2 :
Problem 4.24. Nonemptiness(C): Problem 4.25. Inclusion(C):
Input:
Question:
Automaton A from C
L(A) 6= ; ?
Input:
Question:
Automata A and B from C
L(A) ✓ L(B) ?
Problem 4.26. ModelChecking(C, L):
Input:
Question:
Automaton A from C ; ' 2 L
L(A) ✓ L(') ?
We start with results that had been known for FRAs and RAs:
Theorem 4.27 ([KF94, Tze11]). The problem Nonemptiness(FRA) and the
problem Nonemptiness(RA) are both NP-complete.
2
Recall that A and D are fixed. For the forthcoming results, it actually does not make a
difference if A is part of the input or any fixed finite alphabet.
75
The NP upper bound directly carries over to SAs. The nonemptiness problem for
SAs is actually NP-complete, too. The lower bound is shown by a reduction from
3-CNF-SAT (cf. [BCH+ 13]).
Theorem 4.28. Nonemptiness(SA) is NP-complete.
Note that the problem becomes considerably harder when we move up in the hierarchy of automata for data words.
Theorem 4.29 ([BDM+ 11]). Nonemptiness(CMA) is decidable, and as hard
as Petri-net reachability.
As a corollary from Theorem 4.29 and the effectiveness of Theorem 4.15, one obtains that satisfiability of dEMSO2 (C+1 , C 1 , ⇠, <) is decidable. It is easy to see
that dropping the two-variable restriction renders the satisfiability problem undecidable. By Theorem 4.22, this means that nonemptiness for CRAs is undecidable.
Thus, the gain in expressive power that CRAs provide comes at the expense of an
undecidable nonemptiness problem:
Theorem 4.30. Nonemptiness(CRA) is undecidable.
Next, we consider the inclusion problem. Unlike the nonemptiness problem, it is
already undecidable for the simple model of RAs:
Theorem 4.31 ([KF94, Tze11]). Inclusion(RA) is undecidable.
Therefore, the inclusion problem is undecidable for any other stronger automata
model such as FRAs and CMAs. However, we can establish decidability for SAs,
which is a corollary from Theorem 4.8:
Theorem 4.32 ([BHLM14]). Inclusion(SA) is decidable.
The situation in model checking is similar to that of inclusion when we choose the
full dMSO logic as a specification. It is undecidable for RAs, which follows from
undecidability of the satisfiability problem for dMSO.
Theorem 4.33. ModelChecking(RA,dMSO) is undecidable.
To obtain decidability, one therefore has to restrict the logic. From Theorems 4.29
and 4.15, it follows that the model-checking problem of CMAs against formulas
from the logic dFO2 (C+1 , C 1 , ⇠, <) is decidable.
76
Theorem 4.34 ([BDM+ 11]). ModelChecking(CMA,dFO2 (C+1 , C
is decidable.
1 , ⇠, <))
For the full dMSO logic, model checking is decidable for SAs, which follows from
Theorems 4.21 and 4.32:
Theorem 4.35 ([BCGNK12]). ModelChecking(SA,dMSO) is decidable.
Note that the model-checking problem was actually solved in [BCGNK12] for a
more powerful model than SAs, including stacks.
4.6 Perspectives
Though we saw already a certain number of different automata models running
on data words, our study is far from being exhaustive. There are actually many
more interesting models such as alternating automata [DL09] or walking automata
[MMP13]. The latter, however, are rather “recognizers” than “generators” of behaviors so that they cannot be seen as system models. In this chapter, we introduced
the model of CRAs that captures, in a unifying framework, many of those models
from the literature that can actually be seen as system models. This, however,
comes at the price of undecidability of basic verification questions. Still, it would
be interesting to identify subclasses of CRAs that extend other existing models but
allow one to model realistic protocols such as leader-election algorithms. To this
end, one may resort to symbolic techniques or to well-quasi orderings as a technique to establish decidability for infinite-state systems. The latter have actually
been successfully applied in the realm of data words [Fig10].
77
78
CHAPTER
5
Dynamic Message-Passing Systems
In this chapter, we consider dynamic message-passing systems. In a sense, it combines Chapters 3 and 4, which considered static message-passing systems and, respectively, dynamic sequential systems. Processes will communicate, via message
passing, in a dynamic environment, which allows them to create new processes
during runtime. This framework is inspired by concurrent programming languages
such as Erlang. More precisely, each process has a unique process identifier (pid).
It also disposes of a finite number of registers, in which it can store pids of other
processes. Now, a process can communicate with all processes that it knows, i.e.,
whose pids are present in its registers. The knowledge topology is subject to
changes, though. When sending a message, a process may include, in the message,
processes that it knows. In turn, the receiving process may overwrite some of its
registers using the pids attached to the message. Moreover, a process can spawn
a new process, which obtains a unique, fresh pid (cf. fresh-register automata from
Chapter 4). The latter is henceforth stored in one of the registers of the spawning
process, which can then propagate the new pid to other processes.
In the following, we first extend the notion of message sequence charts (MSCs,
cf. Chapter 3) towards a dynamic version, and then introduce dynamic communicating automata (DCAs) as an extension of the static (fixed-topology) version
from Chapter 3. While communicating automata accept MSCs, DCAs will accept
dynamic MSCs. On the specification side, we introduce a conservative extension of
the session automata from the previous chapter to handle dynamic MSCs. These
register message sequence graphs (rMSGs) allow the specifier a global view of the
system. In this chapter, we study mainly the realizability question. Given an
rMSG, is there a DCA recognizing the same set of behaviors? Since our dynamic
framework properly extends the static setting, these questions are undecidable.
For this reason, we will consider executability, a non-trivial sufficient criterion for
79
implementability (essentially, realizability modulo message refinement), which we
then show to be decidable. Essentially, an rMSG is executable if, in each scenario,
a process p that sends a message to another process, say, with pid q, “knows” q.
Here, knowledge refers to the possibility of passing, during the execution, the process identity of q to p. In a second step, we discover a restriction of rMSGs, for
which executability and implementability coincide.
A first step towards MSCs over an evolving set of processes was made in [LMM02],
where MSO model checking is shown decidable for fork-and-join MSC grammars.
Our rMSGs are similar to these grammars, but take into account pids as message contents and distinguish messages and process creation. Moreover, (implementable) subclasses can be identified more easily. Nevertheless, several of our
results apply to the formalism from [LMM02] once the latter is adjusted to our
setting. In [BGP08], an MSC semantics was given for the ⇡-calculus, but the problems studied there are very different from ours and do not distinguish between a
specification and an implementation.
5.1 Dynamic Message Sequence Charts
We modify MSCs from Chapter 3 (Definition 3.3 on page 42) to deal with process
creation. Let P be a nonempty (finite or infinite) set of processes. Later, P may
def
be instantiated with a finite set of registers or the infinite set P = N of pids. A
process can perform send and receive actions, but it is also allowed to spawn new
processes. Moreover, it may attach processes/pids to a message. Thus, we fix a
def
finite ranked alphabet1 A. For any set B, let AhBi = {a(b1 , . . . , bn ) | a 2 A,
n = arity(a), and b1 , . . . , bn 2 B}. Then, the set of messages is given as AhP i.
The following definition is similar to Definition 3.3. However, since communication
topologies are henceforth dynamic, an MSC does not include a topology but certain
spawn events. We will first introduce partial MSCs, which feature an arbitrary
number of “existing” processes (i.e., those that are not spawned). Those processes
are analogous to free variables in logic formulas.
Definition 5.1 (partial MSC). A partial MSC over A and P is a tuple M =
(E, C, ⇡, µ) where
• E is a nonempty finite set of events,
• C = Cnew ] Cproc ] Cmsg is the acyclic edge relation,
def
• ⇡ : E ! P maps each event to a process—for p 2 P , we let Ep = {e 2 E |
⇡(e) = p}, and
• µ : Cmsg ! AhP i maps each message edge to a message.
We require that the following hold:
1
A ranked alphabet is an alphabet A that comes with a mapping arity : A ! N.
80
S
1. Cproc is a union p2P Cp where each Cp ✓ Ep ⇥ Ep is the direct-successor
relation of some total order on Ep ,
2. there is a partition E = E! ] E? ] Espawn ] Estart such that
• Cmsg induces a bijection between E! and E? ,
• Cnew induces a bijection between Espawn and Estart ,
S
• Cmsg and Cnew are subsets of p6=q (Ep ⇥ Eq ),
• there is no event e 2 Estart that has a Cproc -predecessor, and
• for all (e, f ), (e0 , f 0 ) 2 Cmsg such that ⇡(e) = ⇡(e0 ) and ⇡(f ) = ⇡(f 0 ),
we have e C⇤proc e0 iff f C⇤proc f 0 (FIFO).
}
The set of partial MSCs over A and P is denoted by pMSC(A, P ).
Note that the partition E = E! ] E? ] Espawn ] Estart is uniquely determined by the
def
fact that C is a partition Cnew ]Cproc ]Cmsg . We let Pids(M ) = {p 2 P | Ep 6= ;}.
def
By Free(M ) = {p 2 Pids(M ) | Estart \ Ep = ;}, we denote the set of free processes
of M . Intuitively, free processes of a partial MSC M have not been initiated in M .
def
Moreover, Bnd (M ) = Pids(M ) \ Free(M ) denotes the set of bound processes.
For every p 2 Pids(M ), there are a unique minimal and a unique maximal event in
the total order (Ep , C⇤p ), which we denote by minp (M ) and maxp (M ), respectively.
By MsgPar (M ), we denote the set of processes p 2 P that occur as a parameter in
some message, i.e., such that there is a(p1 , . . . , pn ) 2 µ(Cmsg ) with p 2 {p1 , . . . , pn }.
Now, we can define (complete rather than partial) dynamic MSCs:
Definition 5.2 (MSC). A dynamic MSC (or, simply, MSC) is a partial MSC
M = (E, C, ⇡, µ) such that Free(M ) is a singleton set.
}
Note that the partial order (E, C⇤ ) associated with M has a unique minimal event,
which we denote by init(M ). The set of MSCs over A and P is denoted by
dMSC(A, P ).
The notion of free processes in a partial MSC is important in the context of automata, where we start with a fixed number of processes. Actually, we suppose
that, at the beginning of an execution, we start with one single free process, though
we could extend the framework to an arbitrary fixed number of initial processes.
Example 5.3. An MSC M over A = {a, b, c} and P (recall that P = N) is shown
in Figure 5.1. Here, arity(a) = 1 and arity(b) = arity(c) = 0. We have Free(M ) =
{8} and Bnd (M ) = {3, 4, 5}.
}
As usual, we do not distinguish isomorphic structures. Moreover, none of the
formalisms that we are going to introduce next will be able to distinguish between
MSCs that differ only in pids. Given a partial MSC M , we denote by [M ] the set
of partial MSCs that can be obtained from M by renaming of pids (in the expected
manner—we omit the formal definition). This is extended to sets L, and we let [L]
81
8
4
new
5
new
a(5)
3
new
a(3)
b
c
c
Figure 5.1: An MSC
denote the union of sets [M ] with M ranging over L. When L = [L] holds, then
we say that L is closed. Note that a closed set of MSCs is in the spirit of a data
language (cf. Chapter 4), which is a “closed” set of data words.
5.2 Dynamic Communicating Automata
Next, we present our model of an implementation of a dynamic message-passing
system. As mentioned before, we essentially deal with communicating automata,
where processes execute send and receive actions (cf. Definition 3.9 on page 46).
However, processes can henceforth spawn new processes and exchange pids along
with messages.
5.2.1 The Model
Let us give the formal definition of dynamic communicating automata.
Definition 5.4 (DCA [BCH+ 13]). A dynamic communicating automaton (DCA)
over the ranked alphabet A (and P) is a tuple A = (S, R , ◆, F, ) where
• S is the nonempty finite set of states
• ◆ 2 S is the initial state,
• F ✓ S is the set of final states,
• R is the nonempty finite set of registers, and
•
is the set of transitions.
A transition is of the form (s, ↵, s0 ) where s, s0 2 S, and ↵ is an action, possibly
• r := spawn(t, r0 ) where r, r0 2 R and t 2 S,
• r!a(r1 , . . . , rn ) where r 2 R and a(r1 , . . . , rn ) 2 AhR ] {self}i, or
• r?a(r1 , . . . , rn ) where r 2 R ] {⇤}, and a(r1 , . . . , rn ) 2 AhR ] { }i such that
ri = rj 2 R implies i = j.
82
As usual, we write a transition (s, ↵, s0 ) 2
↵
as s ! s0 .
}
The basic feature of a DCA is the transmission of pids via messages. When a
process executes r!a(r1 , . . . , rn ), it sends a message to the process whose pid is
stored in register r. The message consists of label a as well as n = arity(a)
many pids stored in registers r1 , . . . , rn (or the sender’s pid if ri = self). Executing
r?a(r1 , . . . , rn ), a process receives a message from the process whose pid is stored in
r (selective receive) or, in case r = ⇤, from any process (non-selective receive). The
message must be of the form a(p1 , . . . , pn ) 2 AhPi. In the resulting configuration,
the receiving process updates its local registers r1 , . . . , rn to p1 , . . . , pn , respectively,
unless ri = , in which case pi is neglected. Finally, a process executing action
r := spawn(t, r0 ) spawns a new process, whose fresh pid is henceforth stored in
register r. The new process starts in state t. Its registers are a copy of the registers
of the spawning process, except for r0 , which is set to the pid of the spawning
process.
Example 5.5. An example DCA is depicted in Figure 5.2. It realizes a peer-topeer protocol. Hereby, A = {ack, com} with arity(ack) = 1 and arity(com) = 0.
In that protocol, a spawn action rather plays the role of joining a host and making
a request. The request is either forwarded to another host, or acknowledged (ack),
in which case a connection between the user and the latest host is established so
that they can henceforth communicate (com).
The first part of the DCA, comprising the states s0 , . . . , s3 , is only executed by
the very first, i.e., the requesting process. All other processes start in t1 . Going
from s0 to s1 , the initial process, say with pid 1, creates a new process, say with
pid 2. Pid 2 is henceforth stored in register r, but this is actually irrelevant, since
it will later be overwritten without being used. The new process, on the other
hand, starts its execution in t1 . It creates/joins another process, say with pid 3.
While process 3 stores the pid 2 in r0 , it inherits the contents of r, i.e., its register
assignment will be {r 7! 1, r0 7! 2}. In this manner, the pid of the initial process
is forwarded to any other process. When, at some point, we have n 3 processes,
the register assignment of process n is {r 7! 1, r0 7! n 1} (for n = 2, we have
{r 7! 1}). In particular, r holds the pid of the initial process, which had sent the
initial request. Now, suppose that process n is capable of satisfying the request. It
will then go from t1 to t2 and send an acknowledgment to the process whose pid
is stored in r, namely the initial process. Along with ack, process n sends its own
pid, indicated by self. Though 1 does not know n, it may receive that message,
executing the non-selective receive associated with the transition from s1 to s2 . As
a result, register r of process 1 takes the value n. Now, both processes know each
other (their respective pids are stored in register r) and can exchange messages of
type com, using selective receives.
}
5.2.2 Semantics
Let us describe the semantics of DCAs formally. Like for nested-word automata
(Chapter 2) and communicating automata (Chapter 3), there are essentially two
83
s0
r := spawn(t1 , r)
r!com
∗?ack(r)
s1
s2
s3
r?com
r?com
r!ack(self)
t1
t2
t3
r!com
r := spawn(t1 , r′ )
t5
Figure 5.2: The DCA A5.2 modeling a peer-to-peer protocol
1
new
2
new
3
new
4
ack(4)
com
com
Figure 5.3: An MSC accepted by the DCA A5.2
ways of defining the semantics: one running directly on MSCs, and one accepting
their linearizations. Again, we stick to the former.
Let ⌧ : R * P be a partial mapping, assigning identities to registers. For p 2 P
and m = a(r1 , . . . , rn ) 2 AhR ] {self}i such that {r1 , . . . , rn } ✓ dom(⌧) [ {self},
we let m[⌧, p] denote the message a(p1 , . . . , pn ) 2 Msg where
(
⌧(ri ) if ri 2 R
pi =
p
if ri = self .
Intuitively, m[⌧, p] is the message generated by a process with pid p and register
contents ⌧, when executing an action of the form r!a(r1 , . . . , rn ).
Now, when a process with register contents ⌧ : R * P executes r?a(r1 , . . . , rn )
(recall that a(r1 , . . . , rn ) 2 AhR ] { }i such that ri = rj 2 R implies i = j)
and receives message a(p1 , . . . , pn ) 2 AhPi, then its new register contents will be
⌧[r1 , . . . , rn 7! p1 , . . . , pn ], which is defined to be the partial mapping ⌧0 : R * P
given by
(
pi
if r = ri
⌧0 (r) =
⌧(r) if r 62 {r1 , . . . , rn } .
Let A = (S, R , ◆, F, ) be a DCA and M = (E, C, ⇡, µ) 2 dMSC(A, P). To facilitate the definition of a run of A on M , we assume that E contains some additional
84
event e, without particular labeling, such that e Cproc init(M ). A run of A will
be a pair ( , ⌧), where : E ! S and ⌧ : E ! [R * P]. In the following, we will
write e and ⌧e for (e) and ⌧(e), respectively. Then, ( , ⌧) is a run if it respects
the following conditions:
1.
e
= ◆ and ⌧e is undefined everywhere.
2. For all e1 , e2 , f 2 E with e1 Cproc e2 Cnew f , the relation
transition
r := spawn(s,r0 )
! e2
e1
such that
f
contains a
= s, ⌧e2 = ⌧e1 [r 7! ⇡(f )], and ⌧f = ⌧e1 [r0 7! ⇡(e1 )].
3. For all e1 , e2 , f 2 E with e1 Cproc e2 Cmsg f , we have ⌧e1 = ⌧e2 , and there is
a transition
r!a(r1 ,...,rn )
!
e1
e2
such that {r, r1 , . . . , rn } ✓ dom(⌧e1 ) [ {self}, ⌧e1 (r) = ⇡(f ), and µ(e2 , f ) =
a(r1 , . . . , rn )[⌧e1 , ⇡(e2 )].
4. For all e1 , e2 , f 2 E with e1 Cproc e2 , f Cmsg e2 , and µ(f, e2 ) = a(p1 , . . . , pn ),
there is a transition
r?a(r1 ,...,rn )
!
e1
e2
such that r = ⇤ or ⌧e1 (r) = ⇡(f ), and ⌧e2 = ⌧e1 [r1 , . . . , rn 7! p1 , . . . , pn ].
The run ( , ⌧) is accepting if { (maxp (M )) | p 2 Pids(M )} ✓ F . By L(A), we
denote the set of MSCs M over A and P such that there is an accepting run of A
on M . Note that L(A) is closed, i.e., L(A) = [L(A)].
5.2.3 Realizability vs. Implementability
Like for communicating automata, there is a discrepancy between the languages
that are recognized by DCAs and languages that one would actually consider to be
implementable. More precisely, there are languages L that are not the language of
a DCA, but for which there is a DCA implementing them up to some refinement.
The refinement allows a DCA to attach more information to a message than the
specification provides, for example additional pids. This is formalized as follows.
Let A, B be finite ranked alphabets and let h : B ! A. We say that the pair
(B, h) is a refinement of A if, for all b 2 B, arity(h(b))  arity(b). We can
extend h to a mapping h : dMSC(B, P) ! dMSC(A, P) as follows: for an MSC
M = (E, C, ⇡, µ) 2 dMSC(B, P), we let h(M ) = (E, C, ⇡, µ0 ) 2 dMSC(A, P) where
µ0 (e, f ) = h(b)(p1 , . . . , parity(h(b)) ) whenever µ(e, f ) = b(p1 , . . . , pn ). The mapping
is then further extended to sets of MSCs as expected.
85
Definition 5.6 (realizability and implementability). A set L ✓ dMSC(A, P)
is called
• realizable if [L] = L(A) for some DCA A,
• implementable if there are a refinement (B, h) of A and a DCA A over B
and P such that [L] = h(L(A)).
}
For both, realizability and implementability, it is necessary that the sender p of
a message knows the receiver q at the time of sending, i.e., q should be stored in
some register of p. Note that this aspect does not arise in simple communicating
automata (be it with fixed or parameterized topology).
Example 5.7. Consider Figures 5.4 and 5.5. The MSC language {M1 } is not
implementable, as process 1 does not know 2 when sending message a. However,
{M2 } is implementable (and even realizable), as 2 may know 1: when spawning 2,
process 0 can communicate the pid 1 to 2.
0
1
0
new
1
new
2
new
2
new
a
a
M1
M2
Figure 5.4: Implementability
The language {M3 } is not realizable: as process 0 knows neither 2 nor 3 when
it receives the messages, it has to use non-selective receives. But then, the DCA
also accepts M4 . On the other hand, {M3 , M4 } is realizable. However, {M3 }
and {M4 } are both implementable, since we can attach additional information to
the message contents a sent from 2 and 3 to 0, such as “1st/2nd message to be
received”, respectively. Alternatively, the first message may be refined to contain
the pid of the sender of the second message so that, for the latter, 0 can use a
selective receive.
}
0
1
0
new
1
new
2
new
2
new
3
3
new
new
a
a
a
a
M3
M4
Figure 5.5: Realizability vs. Implementability
86
5.3 Register MSC Graphs
DCAs serve as a model of an implementation, reflecting low-level primitives—such
as spawn, send, and receive—that are provided by concurrent programming languages. As such, DCAs are inherently hard to come up with or to analyze, all the
more since basic decision problems are undecidable. In this section, we provide a
specification formalism that allows for a high-level view of a system. We define
register message sequence graphs (rMSGs), which extend the well-studied message sequence graphs (MSGs) without process creation (see, for example, [GMP03,
AEY05, HMK+ 05, GMSZ06, GKM06]). In a sense, MSGs are to finite automata
what rMSGs are to session automata (cf. Chapter 4). Actually, rMSGs combine
MSGs with session automata: the transition labels are MSCs whose processes are
registers. Free processes are executed by the pids indicated by the corresponding
registers, while bound processes obtain a fresh pids, which are henceforth stored
in the allotted registers.
Like MSGs, rMSGs compose single behaviors towards bigger ones via concatenation. Let M = (E, C, ⇡, µ) and M 0 = (E 0 , C0 , ⇡ 0 , µ0 ) be partial MSCs over A and P .
The concatenation M M 0 glues identical processes together. Thus, it is defined if
def
Pids(M ) \ Bnd (M 0 ) = ;. In that case, M M 0 = (E ] E 0 , Ĉ, ⇡ [ ⇡ 0 , µ [ µ0 ) where
• Ĉproc = Cproc [ C0proc [ {(maxp (M ), minp (M 0 )) | p 2 Pids(M ) \ Pids(M 0 )},
• Ĉmsg = Cmsg [ C0msg , and
• Ĉnew = Cnew [ C0new .
Next, we define the new formalism to describe sets of MSCs. As already mentioned,
it is analogous to session automata, but the transitions are labelled with partial
MSCs.
Definition 5.8 (rMSG). A register message sequence graph (rMSG) over A (and
P) is a tuple H = (L, R , L0 , Lacc , r0 , T ) where
• L is the nonempty finite set of locations,
• L0 ✓ L is the set of initial locations,
• Lacc ✓ L is the set of accepting locations,
• R is the nonempty finite set of registers with initial register r0 2 R , and
• T is the finite set of transitions.
M
A transition is a triple (`, M, `0 ) 2 L ⇥ pMSC(A, R ) ⇥ L, usually written ` ! `0 ,
such that MsgPar (M ) \ Bnd (M ) = ; (which will guarantee an unambiguous interpretation of message parameters).
}
87
Like in (fresh-)register automata, we associate MSCs with an rMSG through the
notion of runs, which we will define after some preparation. Henceforth, a register
assignment is an injective partial mapping ⌧ : R * P from the set of registers to
the set of pids.
A configuration of H is a triple = (`, ⌧, U ) where ` 2 L is the current location,
⌧ : R * P is a register assignment, and U ✓ P is the set of pids that have been
used so far. We say that
is initial if ` 2 L0 , ⌧ = {r0 7! p}, and U = {p}
for some p 2 P. It is final if ` 2 Lacc . Via the global transition relation, we can
switch from one configuration to another, while reading a partial MSC from the set
M0
pMSC(A, P). More precisely, we let (`, ⌧, U ) ==) (`0 , ⌧0 , U 0 ) if there are a transition
M
` ! `0 and a bijection ⇠ : Bnd (M ) ! Bnd (M 0 ) such that the following hold:
1. Free(M ) [ MsgPar (M ) ✓ dom(⌧),
2. ⌧0 = ⌧[⇠] and M 0 = ⌧0 (M ), and
3. U 0 = U ] Bnd (M 0 ).
Here, ⌧0 (M ) is defined as expected: every register occurrence r 2 R in M is replaced
by ⌧0 (r) 2 P. Condition 1. says that free processes can be instantiated. Condition
2. makes sure that registers remain unchanged unless they are overwritten for a
new process. Finally, Condition 3. guarantees that bound processes obtain fresh
pids.
M
M
M
n
1
2
A run of H is a sequence ⇢ = 0 ==)
=)
. . . ==)
1. It
1 =
n with n
def
generates the MSC M (⇢) = M1 . . . Mn . Note that M (⇢) is indeed well-defined
and has exactly one free pid. We say that ⇢ is accepting if n is final. Finally,
def
L(H) = {M (⇢) | ⇢ is an accepting run of H} is the language of H.
Example 5.9. The rMSG H5.6 from Figure 5.6 below gives a high-level view of
the peer-to-peer protocol considered in Example 5.5 on page 83. Recall that A =
{ack, com} (acknowledgment, communication) with arity(ack) = 1 and arity(com) =
0. The initial register is r0 . A request is forwarded to new processes along with
the pid p of the initial process. At some point, a process acknowledges the request, sending its own pid q to the initial process. Processes p and q may then
communicate and exchange messages. A generated MSC is depicted in Figure 5.3
on page 84. Note that L(H5.2 ) is realizable, since we have L(A5.2 ) = L(H5.6 ), i.e.,
L(H5.6 ) is recognized by a DCA without any message refinement.
}
5.4 Executability of Register Message Sequence Graphs
Like for classical MSGs, the language of an rMSG is not necessarily realizable, nor
implementable. Even worse, undecidability of realizability and implementability
carries over to the dynamic setting. More precisely, we consider the following
decision problems:
88
r1
r0
r2
new
r1
new
ℓ0
ℓ1
r0
ℓ2
r2
r1
r1
r0
new
ack(r1 )
r0
ℓ3
r1
com
com
r2
ack(r2 )
r0
r2
com
com
ℓ4
Figure 5.6: The rMSG H5.6 modeling the peer-to-peer protocol
Problem 5.10. rMSG-Realizability:
Input:
Problem:
A ; rMSG H over A
Is L(H) realizable ?
Problem 5.11. rMSG-Implementability:
Input:
Problem:
A ; rMSG H over A
Is L(H) implementable ?
Unfortunately, both problems are undecidable, which is a consequence of the fact
that both problems are undecidable in the case of a fixed number of processes:
Theorem 5.12 ([AEY05, HMK+ 05]). Both problems, rMSG-Realizability
and rMSG-Implementability, are undecidable.
In the following, we focus on the implementability question. To overcome undecidability, we introduce a criterion, called executability, that is sufficient for implementability but turns out to be decidable. As a second step, we then identify a
fragment of rMSGs for which executability and implementability coincide so that
implementability is actually decidable for that class.
Let M = (E, C, ⇡, µ) 2 dMSC(A, P) be an MSC. Intuitively, M is executable if a
process p may know the pid of a process q at the time of (i) sending a message to
q, or (ii) sending the pid q to some other process. Here, process p may know q if
is it possible to pass q to p along the message flow. Let us be more precise. Given
q 2 Pids(M ) and an event e 2 E of M , we write q M e if there is a path from
the minimal event minq (M ) of q to e in M . This path might involve the reversal
1 )⇤ .
of the spawn edge that started q. That is, q M e if (minq (M ), e) 2 (C [ Cnew
In a sense, q M e indicates that the process executing e is aware of process q.
Next, we formally define executability of MSCs.
Definition 5.13 (executability). Let M = (E, C, ⇡, µ) 2 dMSC(A, P). A message (e, f ) 2 Cmsg with contents µ(e, f ) = a(p1 , . . . , pn ) is executable if
• {p1 , . . . , pn } ✓ Pids(M ), and
• q
M
e for every q 2 {⇡(f ), p1 , . . . , pn }.
Moreover, M is executable if each of its messages is executable. Finally, an rMSG
H is executable if each MSC from L(H) is executable.
}
89
Let M be an MSC and H be an rMSG. One can verify that
• M is executable iff {M } is implementable, and
• H is executable if it is implementable (while the converse might fail).
Example 5.14. For illustration, consider Figures 5.4 and 5.5 on page 86. There,
M2 , M3 , M4 are executable, while M1 is not. Moreover, the rMSG H5.6 is executable
(recall that it is actually implementable).
}
Executability leads us to another decision problem:
Problem 5.15. rMSG-Executability:
Input:
Question:
A ; rMSG H over A
Is L(H) executable ?
Unlike implementability, executability of rMSGs is decidable:
Theorem 5.16 ([BCH+ 13]). rMSG-Executability is in Pspace.
Proof (sketch). We will sketch the proof idea. The problem is reduced to a reachability problem in a finite transition system. Essentially, the transition system is
a finite unfolding of the given rMSG H. In particular, transitions are labeled with
the finitely many partial MSCs that occur in H. The locations of H are extended to
contain information about which processes know each other, or, equivalently, about
the -paths that exist between processes. We only need to take into account the
active processes, i.e., those processes that possibly execute further actions. As these
active processes can be identified with their respective registers, all the information
we need can be maintained within a finite alphabet.
More precisely, a state of the transition system that we are going to define is a pair
(`, CS ) where ` is a location of H and CS is the current communication structure.
The latter is a graph whose nodes are some of the (finitely many) registers. There
is an edge r
r0 if, informally speaking, the process associated with r is known
by (or, was communicated to) the process associated with r0 . Now, there is a
simulation relation between the “real”, infinitely many configurations of H and the
finitely many states of the transition system. This simulation relation is correct
in the following sense. If a path to (`, CS ) in the transition system simulates a
run ⇢ of H, say, to configuration (`, ⌧, U ), then, for all distinct r, r0 2 dom(⌧), we
have that ⌧(r) M (⇢) max⌧(r0 ) (M (⇢)) iff r
r0 is an edge in the communication
structure CS .
Now, rMSG H is not executable iff there is an accepting path in the transition
M
system using a transition (`, CS ) ! (`0 , CS 0 ) such that the (symbolic) partial
MSC M is not executable wrt. CS . Figure 5.7 illustrates a part of the transition
90
r0
ℓ0
r1
r0
r0
r0
r1
r2
r1
r1
com
com
r1
r2
r1
new
ℓ1
r0
r0
ℓ2
r0
r1
r2
r2
new
r1
ack(r1 )
ℓ3
r0
r1
ℓ1
new
r2
r0
✗
r1
com
com
Figure 5.7: Part of the finite symbolic transition system associated with H5.6
system for the executable rMSG H5.6 from Figure 5.6. Note that the crossed
transition is actually not in the transition system and just added for illustration:
since r0 does not know r1 in the current communication structure, it could not send
a message to r1 . From the existence of an accepting path using such as transition,
we could actually deduce that the underlying rMSG is not executable.
There is an alternative proof of decidability of rMSG-Executability, though it
does not directly give us a complexity upper bound. Indeed, executability is a
property that is definable in MSO logic. In turn, model checking rMSGs against
MSO properties is decidable, which can be shown along the same lines as for session
automata (cf. Theorem 4.35 on page 77).
Definition 5.17. The set MSO(A, P) of MSO formulas over A and P is built from
the following grammar:
a(x ,...,xn )
' ::= x Cnew y | x Cproc y | x Cmsg1
¬' | '1 _ '2 | 9x.' | 9X.'
y | x=y | x2X |
where a 2 A with arity(a) = n.
}
a(x ,...,x )
n
The only predicate that needs explanation is x Cmsg1
y. It says that events x
and y exchange a message of the form a(p1 , . . . , pn ) such that event xi is located
on pi , for all i 2 [n].2 With this, the satisfaction relation M |= ' for an MSC M
over A and P and a sentence ' 2 MSO(A, P) is defined as expected. We are now
ready to state that MSO model checking of rMSGs is decidable.
2
Alternatively, we could choose a logic in the style of Definition 3.19 on page 50, which quantifies over processes. Since a process can be identified with one of its event, this would not change
the expressive power.
91
Theorem 5.18. The following problem is decidable:
Instance:
Question:
A ; rMSG H over A and P ; ' 2 MSO(A, P)
M |= ' for all M 2 L(H) ?
The theorem generalizes a similar model-checking result for MSGs (without process
creation) [Mad01, MM01].
Let us come back to the alternative proof of decidability of executability of rMSGs.
By Theorem 5.18, it is sufficient to come up with an MSO(A, P)-formula that
defines executability. We let
'exec =
^
a2A
n=arity(a)
a(x ,...,xn )
8x, y, x1 , . . . , xn . x Cmsg1
y ! (y
x^
^
xi
x)
i2[n]
1 )⇤ ). Then, M is executable iff
where (y
x) = 9y 0 (y 0 C⇤proc y ^ (y 0 , x) 2 (C [ Cnew
M |= 'exec . This also proves decidability of rMSG-Executability (Problem 5.15
and Theorem 5.16).
5.5 Guarded Register MSC Graphs
Now that we have a decidable criterion that is sufficient for implementability, we
are interested in a fragment of rMSGs for which the criterion and implementability
coincide so that the latter actually becomes decidable. To do so, we adapt definitions that were given for MSGs [GMSZ06] and guarantee their implementability.
Guarded rMSGs are based on the notion of a leader process, which determines the
next transition to be taken in an rMSG.
Definition 5.19 (guarded rMSG). An rMSG H = (L, R , L0 , Lacc , r0 , T ) over
A is said to be guarded if
1. for all partial MSCs M = (E, C, ⇡, µ) 2 pMSC(A, R ) that occur in H, (E, C⇤ )
def
has a unique minimal element e—we let first(M ) = ⇡(e), and
M
2. there is a mapping leader : L ! R such that, for all transitions ` ! `0 ,
• leader (`) = first(M ),
• leader (`0 ) 2 Pids(M ), and,
• for all r 2 Pids(M ), maxr (M ) C⇤ maxleader (`0 ) (M ).
}
Intuitively, the last condition of 2. says that all processes of M terminate before
leader (`0 ) terminates.
92
Example 5.20. The rMSG H5.6 from Example 5.9 on page 88 is guarded. The
leaders as required in Definition 5.19 are given by leader (`i ) = ri for i 2 {0, 1, 2},
and leader (`i ) = r0 for i 2 {3, 4}.
}
Indeed, executability is both sufficient and necessary for implementability when we
restrict to the class of guarded rMSGs.
Theorem 5.21 ([BCH+ 13]). A guarded rMSG is implementable iff it is executable. Moreover, if it is implementable, then an equivalent DCA can be constructed in exponential time.
Proof (sketch). The proof is by construction of a DCA from an executable rMSG.
We give only a rough description of it. Essentially, we start from the rMSG enriched
with communication structures, as described in the proof of Theorem 5.16. This
enriched structure is then projected onto the processes (i.e., registers). However,
the nondeterminism in the rMSG can lead to potentially inconsistent runs if each
process is allowed to choose the next transition. The guardedness property helps
us to avoid this problem. We let the leader process nondeterministically choose the
next transition. This decision can be communicated to all other active processes,
thanks to the connectedness of the partial MSCs. During the simulation of each
process, we also attach the current communication structure to the messages so
that each process is aware of the processes that it knows and that other processes
know. This is essential to infer which registers have to be/must not be updated. By
guardedness of the underlying rMSG, it will be guaranteed that the communication
structure sent/received is always up-to-date.
5.6 Perspectives
In [BCH+ 13], we actually presented a richer version of rMSGs, which is equipped
with a branching operator (the formalism is called branching high-level MSCs).
This operator allows one to divide a current computation into subcomputations,
splitting the registers, and to merge the subcomputations once they terminate.
Branching high-level MSCs were inspired by branching automata [LW00, LW01],
which serve as recognizers of series-parallel pomsets. In terms of sequentializations,
adding branching capabilities may be seen as using an additional stack. Some
protocols such as the leader-election protocol, which are perfectly implementable
in terms of DCAs, can only be specified globally using pushdown stacks. The
seemingly close relation with series-parallel pomsets may help us to establish an
algebraic approach to dynamic concurrent systems. A related question for future
research concerns extensions of Zielonka’s theorem to a dynamic setting (cf. also
its generalization to a recursive setting in Chapter 2). We may consider rMSGs
as analogon of a finite automaton and study its closure under independent events.
One may then ask if this guarantees implementability in terms of a DCA.
93
94
CHAPTER
6
Static Timed Shared-Memory Systems
In this chapter, we turn towards quantitative systems. More precisely, we consider concurrent systems with a static and fixed communication structure, whose
processes obey timing constraints. Timed automata [AD94] are a well-studied formalism to describe sequential systems with timing. Networks of timed automata
have then been extensively studied as models of distributed timed systems (see,
e.g., [LPY95, BHR06, GL08, CCJ06, BCH12]). In most cases, it was assumed that
all processes evolve at the same speed, having knowledge of a global time.
However, it is not aways justified to assume that all processes proceed at the same
speed. Clock evolution may depend on temperature, workload, clock precision, etc.,
and drifting clocks are all the more a realistic assumption, since processes are more
and more often executed on physically distributed computers. In this section, we
study timed automata whose clocks evolve independently. More precisely, the set
of clocks is partitioned into equivalence classes, and equivalent clocks are running
at the same speed, while others do not necessarily. We will model timed systems
with one global state space, focussing on the new aspects of independently evolving
clocks. There are actually several natural distributed versions of that model (see
[DL07, ABG+ 14], for example), involving several processes. In particular, one may
assume that every clock is assigned to an owner process, and consider that two
clocks are equivalent if they belong to the same process. Actually, the semantics
of the distributed model considered in [ABG+ 14] is defined in terms of the timed
systems defined below.
95
6.1 Timed Automata with Independently Evolving Clocks
In the following, we let R 0 denote the set of non-negative real numbers and set
def
R>0 = R 0 \ {0}. For an alphabet ⌃, we let ⌃" = ⌃ ] {"}.
Let us formally define our model of timed automata with independently evolving
clocks, as well as their semantics.
Definition 6.1 (icTA). A timed automaton with independently evolving clocks
(icTA) over P is a tuple
A = (S, ⌃, C, , ◆, F, ⇠)
where (S, ⌃, C, , ◆, F ) is a classical timed automaton1 [AD94] and ⇠ is an equivalence relation to determine which clocks run at the same speed. Let us be more
precise:
• S is the nonempty finite set of states,
• ⌃ is the finite alphabet of actions,
• C is the nonempty finite set of clocks,
•
✓ S ⇥ ⌃" ⇥ Constr(C) ⇥ 2C ⇥ S is the finite set of transitions
(where the set Constr(C) of clock constraints is specified below),
• ◆ 2 S is the initial state,
• F ✓ S is the set of final states, and
• ⇠ ✓ C ⇥ C is an equivalence relation.
}
In the above definition, the set Constr(C) of clock constraints over C is given by
the grammar
' ::= true | false | x ./ c | ¬' | '1 _ '2 | '1 ^ '2
where x ranges over C, ./ 2 {<, , >, , =}, and c 2 N. A (clock) valuation is a
mapping ⌫ : C ! R 0 assigning to each clock its current value. Satisfaction of a
clock constraint ' wrt. a valuation ⌫ 2 Val(C) is defined as expected. If ⌫ satisfies
', we write ⌫ |= '. The set of clock valuations over C is denoted by Val(C).
A transition (s, a, ', R, s0 ) 2
shall be read as follows: being in state s, the
automaton can move on to state s0 and perform a 2 ⌃" provided the current clock
values satisfy constraint '. When the transition is taken, clocks from the set R ✓ C
are reset.
When x ⇠ y, then the clocks x and y evolve at the same speed, whereas x 6⇠ y
means that they evolve independently. Thus, if ⇠ = C ⇥ C, then we deal with a
def
classical timed automaton. By [x] = {y 2 C | x ⇠ y}, we denote the equivalence
1
Note that our model from [ABG+ 14] includes invariants (in terms of clocks constraints) on
states, which were necessary to obtain some negative results in the distributed setting. They are,
however, not essential for the presentation in this chapter so that we omit them for simplicity.
96
class of x. Since [x] can be seen as a set of clocks that belong to the same process,
def
we let P = {[x] | x 2 C} denote the set of equivalence classes induced by ⇠ (a
corresponding index is omitted, as ⇠ will be clear from the context). Moreover, we
let p and q range over P.
Equivalent clocks evolve according to some local time. In turn, local time is modeled relative to some global time. More precisely, for p 2 P, a local time function
is a mapping ⌧p : R 0 ! R 0 (from global time to local time), with ⌧p (0) = 0,
that is strictly increasing, diverging, and continuous. We set Rates to be the set
of tuples (⌧p )p2P where each ⌧p is a local time function. Note that ⌧ 2 Rates can
also be seen as a function R 0 ! RP 0 . Each of the two diagrams below illustrates
an element from Rates, where we assume that there are two equivalence classes, p
and q.
τp
τp
τq
τq
local time
global time
global time
For a valuation ⌫ : C ! R 0 and t = (tp )p2P 2 RP 0 , let ⌫ + t be the valuation
defined by (⌫ + t)(x) = ⌫(x) + t[x] . Intuitively, when time passes, we add, to every
clock x, the time elapse that corresponds to the local time of [x].
Usually, the semantics of a timed automaton is defined in terms of an infinite
automaton. A configuration of the infinite automaton keeps track of the current
state and the current clock valuation. In our setting, since the semantics will
be defined wrt. local times, we have to keep track of the current reference point
in the global-time scale. Thus, for ⌧ 2 Rates, we define an infinite automaton
A⌧ = (S, ⌃, !, ¯◆, F) where
• S = S ⇥ Val(C) ⇥ R
0
is the set of configurations,
• ¯◆ = (◆, {x 7! 0 | x 2 C}, 0) is the initial configuration, and
• F = F ⇥ Val(C) ⇥ R
0
is the set of final configurations.
Moreover, ((s, ⌫, t), a, (s0 , ⌫ 0 , t0 )) 2 S ⇥ ⌃" ⇥ S is contained in the transition relation
a
! (and we write (s, ⌫, t) ! (s0 , ⌫ 0 , t0 )) if t  t0 , there are ' 2 Constr(C) and R ✓ C
such that
• (s, a, ', R, s0 ) 2
• ⌫ + ⌧ (t0 )
,
⌧ (t) |= ', and
97
• ⌫ 0 = (⌫ + ⌧ (t0 ) ⌧ (t))[R] (which behaves like ⌫ + ⌧ (t0 )
from C \ R, and maps all clocks from R to 0).
⌧ (t) on all clocks
The language L(A⌧ ) of A⌧ is then defined as expected as a subset of ⌃⇤ . The
def
⌧ -semantics of A is L(A, ⌧ ) = L(A⌧ ).
However, the precise local time rate ⌧ may be difficult to predict or simply be
unknown. This is why we introduce two more semantics (actually three as we will
see later) that do not depend on concrete time rates. One is an overapproximation
of the ⌧ -semantics, while the other is an underapproximation. The choice of the
precise semantics depends on the system property that one may wish to verify.
Definition 6.2 (semantics). Let A = (S, ⌃, C, T, s0 , F, ⇠) be an icTA. We let
def
L9 (A) =
S
⌧ 2Rates L(A, ⌧ )
T
def
L8 (A) = ⌧ 2Rates L(A, ⌧ )
be the existential and, respectively, universal semantics of A.
}
Example 6.3. Consider the icTA A from Figure 6.1, with clocks x and y such
that x 6⇠ y. Suppose first that both clocks evolve at the same speed as global time,
i.e., we assume id = (⌧[x] , ⌧[y] ) 2 Rates where ⌧[x] and ⌧[y] are both the identity
function on R 0 . Then, we actually deal with an ordinary timed automaton, and
it is easily seen that A accepts a, ab, and b. By definition, all these words are
also in the existential semantics. On the other hand, L(A, id) does not contain c:
since there are no resets in A, accepting c would require y to run faster than x at
some point, which contradicts the assumption of synchronous clocks. We deduce
that c is not contained in the universal semantics of A. However, it is in the
existential one: we can choose time rates such that x < 1 < y is eventually satisfied,
activating the transition from s0 to s5 . The same rates witness the fact that b is
not contained in the universal semantics. We still have to check containment of a
and ab in L8 (A). Clearly, a 2 L8 (A): since local time rates are strictly increasing,
(0 < x < 1) ^ (0 < y < 1) is eventually satisfied so that the transition from s0
to s1 can always be taken. Finally, ab 2 L8 (A) also holds, though by a more
subtle argument. First, note that guard y  1  x on the transition from s1 to
s3 and guard x < 1 = y on the transition from s2 to s3 are complementary: one
of them will eventually be satisfied, but not both of them. As local time rates are
given in advance, there is always a way to reach the final state s3 while reading ab.
Summarizing, we have
• L(A, id) = {a, ab, b},
• L9 (A) = {a, ab, b, c}, and
• L8 (A) = {a, ab}.
}
As suggested above, we may now use L9 (A) to check safety properties: given a
regular set Bad ✓ ⌃⇤ of undesired behaviors, the corresponding model-checking
98
s4
a
0<x<1
0<y<1
b
y≤1≤x
s1
b
y≤1≤x
s0
s5
c
x<1<y
s3
a
0<x<1
0<y<1
s2
b
x<1=y
Figure 6.1: The icTA A with independent clocks x and y
problem asks whether L9 (A) \ Bad = ;. Dually, we use L8 (A) to check liveness
properties: given a regular set Good of behaviors that the system should exhibit,
no matter what the local time functions are, we would like to have Good ✓ L8 (A).
So, the next question to ask is if the above problems are solvable, say, when Bad
and Good are given as regular languages. While the answer is positive in the case
of the existential semantics, we will show that nonemptiness (and universality) of
the universal semantics are undecidable.
Note that very similar models with clock drifts have already been studied [Pur00,
DDMR04, DL07, SFK08]. However, the semantics considered there rather correspond to the existential semantics and the questions studied were actually quite
different.
6.2 The Existential Semantics
In this section, we argue that the existential semantics is always regular and can
be effectively computed. Therefore, it can be used to check safety properties of a
given icTA.
Theorem 6.4 ([ABG+ 14]). Let A be an icTA. Then, L9 (A) is a regular language that can be effectively represented as a finite automaton.
In the rest of this section, we sketch the proof of Theorem 6.4.
Note that the above result was known for timed automata with perfectly synchronous clocks. Actually, the proof of Theorem 6.4 is done via a conservative
extension of the region automaton associated with an ordinary timed automaton.
The main idea of the region automaton is to discretize clock valuations, i.e., to
classify them into finitely many equivalence classes, called (clock) regions. The regions of a classical timed automaton with two clocks are depicted on the left-hand
side of Figure 6.2. The clue is that
• regions are coarse enough to give rise to finitely many equivalence classes,
99
• regions are fine enough to be faithfully evaluated over the guards that occur
in the underlying finite automaton, and
• equivalent regions are crossing the same regions when letting time elapse and
resetting clocks from time to time. In particular, the time-elapse successors
for a given region are uniquely determined.
Note that the region partitioning actually depends on the largest constant that a
clock is compared with in the automaton (in the example, 2 for clock y and 3 for
clock x). Note that the left-hand side of Figure 6.2 indeed assumes that clocks x
and y are synchronous. Speaking in terms of icTAs, they are equivalent, i.e., x ⇠ y.
When x 6⇠ y, the region equivalence is coarser. As illustrated on the right-hand
side of Figure 6.2, the diagonal regions are abandoned. The reason is that x and
y may evolve at different speeds. In particular, from the initial region, induced by
{x 7! 0, y 7! 0}, any other region is “reachable”. Actually, we must not include
diagonal regions, as the induced region-successor relation would not be a partial
order anymore and spoil forthcoming constructions.
y
y
x
x
Regions when x ⇠ y
Regions when x 6⇠ y
Figure 6.2: Region successors
Let us be (slightly) more formal, and let A = (S, ⌃, C, , ◆, F, ⇠) be an icTA. Let
p 2 P. Given a clock valuation ⌫ 2 Val(C), we define its p-restriction ⌫p : p ! R 0
by ⌫p (x) = ⌫(x) for all x 2 p. We say that two clock valuations ⌫ and ⌫ 0 over
C are equivalent if, for all p 2 P, the restrictions ⌫p and ⌫p0 are equivalent in the
classical sense wrt. the clocks in p.2 Recall that this equivalence depends on the
largest constants the clocks are compared with. We write [⌫] for the equivalence
def
class of ⌫. By Regions(A) = {[⌫] | ⌫ 2 Val(C)}, we denote the set of (clock) regions
induced by A. Note that Regions(A) is finite.
Let , 0 2 Regions(A) be two clock regions. We say that 0 is accessible from
, written
v 0 , if either
= 0 or there are ⌫ 2 , ⌫ 0 2 0 , and t 2 RP
>0
such that ⌫ 0 = ⌫ + t. Note that v is a partial-order relation on Regions(A). The
direct-successor relation, written @
· 0 , is, as usual, defined by v 0 , 6= 0 ,
and 00 = or 00 = 0 for all clock regions 00 with v 00 v 0 . The relation @
·
is represented on the right-hand side of Figure 6.2 by arrows pointing from one to
another region.
2
We assume the reader is familiar with the region equivalence for ordinary timed automata
and simply refer to [AD94] or to the left-hand side of Figure 6.2.
100
s0
ε
a
s1
ε
s1
a
s0
ε
ε
s1
ε
s1
b
s3
s2
s2
b
ε
ε
s2
s2
b
s3
s3
Figure 6.3: Part of the region automaton A9 of the icTA A from Figure 6.1
We will now associate with an icTA A = (S, ⌃, C, , ◆, F, ⇠) a finite automaton
recognizing its existential semantics (the correctness proof is omitted, though). A
modified, game-based version of that finite automaton will later be used to define
a semantics that underapproximates the universal semantics. We define the finite
automaton A9 = (S, ⌃, , ¯◆, F) over ⌃ by
• S = S ⇥ Regions(A),
• ¯◆ = (◆, [{x 7! 0 | x 2 C}]), and
• F = F ⇥ Regions(A).
Moreover, the transition relation ✓ S ⇥ ⌃" ⇥ S is partitioned into a set
discrete transitions and a set 1 of timed transitions:
a
• The set 0 contains (s, ) ! (s0 , 0 ) if there are ⌫ 2
such that ⌫ |= ' and ⌫[R] 2 0 .
• The set
1
a
0
of
and (s, a, ', R, s0 ) 2
contains (s, ) ! (s0 , 0 ) if a = ", s = s0 , and
@
·
0.
Example 6.5. Part of the region automaton A9 belonging to the icTA A from
Figure 6.1 is depicted in Figure 6.3. Discrete transitions origin in rounded boxes,
time-elapse transitions in rectangular boxes. The extract shows that a and ab are
contained in the existential semantics of A and that A9 admits even two accepting
runs on ab. The latter observation corresponds to the fact that ab is accepted for
local time rates that are crossing different regions.
}
Now, Theorem 6.4 follows by the following lemma:
Lemma 6.6. We have L(A9 ) = L9 (A).
101
6.3 The Universal Semantics
Next, we show that, unlike the existential semantics, the universal semantics comes
with an undecidable nonemptiness problem.
Theorem 6.7 ([ABG+ 14]). The following problem is undecidable:
Instance:
Question:
icTA A
L8 (A) 6= ; ?
In the rest of this section, we prove Theorem 6.7. The proof is by reduction from
Post’s correspondence problem (PCP).
Problem 6.8. Post’s correspondence problem (PCP):
Input:
Question:
Finite alphabet ⌃ and morphisms f, g : ⌃⇤ ! {0, 1}⇤
Is there w 2 ⌃+ such that f (w) = g(w) ?
Let ⌃ = {a1 , . . . , ak }, where k
1, and f, g be an instance of the PCP. We will
determine an icTA A with set of clocks {x, y} and x 6⇠ y such that L8 (A) =
{w 2 ⌃+ | f (w) = g(w)}, i.e., the universal semantics of A contains precisely the
solutions to the PCP instance. One ingredient of the construction is an encoding of
sequences over {0, 1} in terms of local time functions. Let p = {x} and q = {y} be
the equivalence classes induced by ⇠, and suppose ⌧ = (⌧p , ⌧q ) 2 Rates. Actually,
⌧ will encode a word in {0, 1, 2}! . We do this using (1 ⇥ 1)-square regions. If the
rate function leaves this region by the upper boundary or by the right boundary,
then we write 0 or 1, respectively. If it leaves the square by the end-point (1, 1),
then we write 2. A new square region is started at the point where the rate function
left the old one. Thus, the direction sequences partition the space of time rates.
This is illustrated in Figure 6.4, where we obtain dir (⌧ ) = 101 . . .
y
1
0
1
x
Figure 6.4: Binary sequence associated with local times
Let us formalize the encoding. With ⌧ , we associate a sequence t-dir (⌧ ) = t1 t2 . . . 2
(R 0 )! of time instances and a sequence dir (⌧ ) = d1 d2 . . . 2 {0, 1, 2}! of directions
102
as follows: for i
1, we let first (assuming t0 = 0) ti = min{t > ti
⌧r (ti 1 ) = 1 for some r 2 {p, q}}. With this, we set
8
>
<0 if ⌧p (ti ) ⌧p (ti 1 ) < 1 and ⌧q (ti ) ⌧q (ti 1 ) = 1
di = 1 if ⌧q (ti ) ⌧q (ti 1 ) < 1 and ⌧p (ti ) ⌧p (ti 1 ) = 1
>
:
2 otherwise
1
| ⌧r (t)
We will now construct the icTA A = (S, ⌃, C, T, ◆, F, ⇠), with ⌃ = {a1 , . . . , ak },
C = {x, y}, and x 6⇠ y, such that L8 (A) = {w 2 ⌃+ | f (w) = g(w)}. We proceed
in two steps:
Step 1: We construct icTAs
Af = (S, ⌃, C,
Ag = (S 0 , ⌃, C,
, ◆, F, ⇠)
0 , ◆0 , F 0 , ⇠)
(with the same ⌃, C, and ⇠) such that, for all ⌧ 2 Rates:
L(Af , ⌧ ) = { w 2 ⌃+ | f (w).2 6 dir (⌧ ) }
L(Ag , ⌧ ) = { w 2 ⌃+ | g(w).2  dir (⌧ ) }
Here,  denotes the prefix relation on words and u.v denotes the concatenation of u and v.
Step 2: We build an icTA A = Af _ Ag , which simply branches nondeterministically into Af or Ag .
With this, one can easily show the following:
Claim 6.9. We have
L8 (A) = {w 2 ⌃+ | f (w) = g(w)} .
Proof. For the inclusion from left to right, let w 2 L8 (A). Then, w 2 ⌃+ and, for
all ⌧ 2 Rates, w 2 L(Af , ⌧ ) or w 2 L(Ag , ⌧ ), i.e., f (w).2 6 dir (⌧ ) or g(w).2 
dir (⌧ ). In particular, there is ⌧ 2 Rates with dir (⌧ ) 2 f (w).2.{0, 1, 2}! and
such that f (w).2 6 dir (⌧ ) or g(w).2  dir (⌧ ). As f (w), g(w) 2 {0, 1}⇤ , we have
f (w) = g(w).
For the inclusion from right to left, let w 2 ⌃+ such that f (w) = g(w). Let
⌧ 2 Rates. Trivially, we have f (w).2 6 dir (⌧ ) or f (w).2  dir (⌧ ). As f (w) = g(w),
the latter implies g(w).2  dir (⌧ ). Therefore, w 2 L(A, ⌧ ). We conclude that
w 2 L8 (A).
The construction of Af and Ag is not difficult and can be found in [ABG+ 14]. Let
us just mention that, to “detect” this encoding in automata, we use the guards
x < 1 ^ y = 1 (for 0),
103
y < 1 ^ x = 1 (for 1),
x = 1 ^ y = 1 (for 2),
as well as their negations. Then, applying a new square, as described above,
corresponds to resetting both clocks simultaneously.
This concludes the proof of Theorem 6.7. A very similar construction yields undecidability of the universality problem:
Theorem 6.10 ([ABG+ 14]). The following problem is undecidable:
Instance:
Question:
icTA A = (S, ⌃, C,
L8 (A) = ⌃⇤ ?
, ◆, F, ⇠)
Remark 6.11. The essence of the proof technique presented above is universal in
the sense that it can be easily carried over to other settings such as word transducers. A word transducer over two finite alphabets ⌃ and is a finite automaton
A whose (finitely many) transitions have labels from ⌃⇤ ⇥ ⇤ . In the expected
manner, A determines a (rational) relation R(A) ✓ ⌃⇤ ⇥ ⇤ . A very well known
decision problem is universality, which asks whether R(A) = ⌃⇤ ⇥ ⇤ holds. The
problem can easily be shown undecidable by a reduction from the PCP. Slightly
adapting our proof technique, one can now show that the existential version of the
problem is undecidable, too: is there a word u 2 ⌃⇤ such that, for all v 2 ⇤ , we
have (u, v) 2 R(A) ? The problem seems natural: just like in the timed setting, the
alphabet may model a set of signals, emitted from an environment, that trigger
behaviors from ⌃. When, now, the environment is not under control of the system,
checking liveness specifications indeed amounts to asking the existential version of
the better known problem. However, we are not aware of that undecidability result
in the literature, where only universality seems to be considered.
6.4 The Reactive Semantics
The undecidability results around the universal semantics are, of course, unsatisfactory, since they imply that liveness properties cannot be checked for icTAs. In
this section, we will present the reactive semantics. The reactive semantics is an
underapproximation of the universal semantics. Like the existential semantics, it
is always a regular set that can be effectively represented as a finite automaton.
Thus, it will allow us to verify icTAs against (certain) liveness properties.
To motivate the reactive semantics, it is important to understand the reason for
undecidability of the universal semantics and decidability in the existential case. To
do so, it will be useful to consider both, the existential and the universal semantics,
as a game. We may think of a two-player game, played by Player 0 and Player
1, where Player 0 controls the transitions of the icTA, while Player 1 controls the
104
time evolution. In the existential semantics, both players cooperate, and we may
actually think of one single player who chooses, given a word w 2 ⌃⇤ , both, time
rates and a run through the automaton accepting w. In the universal semantics,
Player 0 aims at “accepting” the word, while Player 1 wants to “reject” the word.
In other words, Player 1 tries to choose time rates in a way that does not allow
Player 0 to navigate the icTA into a final state while reading w. Note that the
game is not turned-based since Player 1 has to reveal its time rates entirely in
advance. Thus, we actually deal with an imperfect-information game: Player 1 has
no means to react upon the moves played by Player 0, so that it is, in a sense,
blind. Now, imperfect information is actually often the reason for undecidability
(see, e.g., [PR79, PRA01]). So, we will try to modify the game for the universal
semantics to make it a turn-based, perfect-information game. In other words, we
will equip Player 1 with more power.
In the following, we will first define a kind of reachability game, and then associate
a game with an icTA and an input word. The reactive semantics will be defined
as the set of words for which Player 0 has a winning strategy. This set can be
represented as the language of an alternating two-way automaton, which shows its
regularity.3
Definition 6.12 (game). A game is a tuple G = (S0 , S1 , ⌃, ¯ , ¯◆, F) where
• S0 and S1 are disjoint sets of states, which belong to Player 0 and Player 1,
respectively, and we let S = S0 [ S1 ,
• ⌃ is a finite alphabet,
• ¯◆ 2 S is the initial state,
• F ✓ S is the set of final states, which are winning for Player 0, and
• ¯ ✓ S ⇥ ⌃" ⇥ S is the transition relation.
We require that, for all states s 2 S, there are a 2 ⌃" and s0 2 S such that
(s, a, s0 ) 2 ¯ .
}
A (positional) strategy for Player i, with i 2 {0, 1}, is a mapping : Si ! ⌃" ⇥ S
such that (s) = (a, s0 ) implies (s, a, s0 ) 2 ¯ , for all (s, a, s0 ) 2 Si ⇥ ⌃" ⇥ S. Let 0
and 1 be strategies for Player 0 and Player 1, respectively. The play of G induced
by 0 and 1 is the unique infinite sequence (s0 , a1 , s1 , a2 , s2 , . . .), with si 2 S and
ai 2 ⌃" , such that s0 = ¯◆ and, for all i 0, si 2 S0 implies 0 (si ) = (ai+1 , si+1 ),
and si 2 S1 implies 1 (si ) = (ai+1 , si+1 ). We say that 0 is winning for w 2 ⌃⇤ if,
for all strategies 1 for Player 1, the play (s0 , a1 , s1 , a2 , s2 , . . .) induced by 0 and
0 such that both sn 2 F and w = a1 · . . . · an (i.e., w is
1 contains a position n
the concatenation of a1 , . . . , an ).
Now, we will associate, with a given icTA A = (S, ⌃, C,
G(A) = (S0 , S1 , ⌃, ¯ , ¯◆, F), which is defined as follows:
3
, ◆, F, ⇠), the game
In the original article [ABG+ 14], the semantics was presented directly in terms of an alternating two-way automaton.
105
ε
s0
s0
r0
r3
a
s1
ε
s1
r1
s1
a
s0
r2
ε
ε
ε
s1
r2
s2
ε
s2
ε
ε
s2
r4
s2
r5
b
s3
b
b
s3
s3
Figure 6.5: Part of the game G(A) of the icTA A from Figure 6.1
• S0 = (S ⇥ Regions(A) ⇥ {0}) [ {†0 },
• S1 = (S ⇥ Regions(A) ⇥ {1}) [ {†1 },
• ¯◆ = (◆, [{x 7! 0 | x 2 C}], 0), and
• F = F ⇥ Regions(A) ⇥ {0, 1}.
Assume that 0 and 1 are the sets of discrete and, respectively, time-elapse transia
tions of the finite automaton A9 (cf. Section 6.2). Then, (s, , pl ) ! (s0 , 0 , pl 0 ) 2
S ⇥ ⌃" ⇥ S is contained in ¯ if one of the following holds:
• pl = 0 and pl 0 = 1 and (s, ) = (s0 , 0 ), or
• pl = 0 and pl 0 = 0 and ((s, ), a, (s0 , 0 )) 2
0,
• pl = 1 and pl 0 = 0 and ((s, ), a, (s0 , 0 )) 2
1.
or
Moreover, ¯ contains transitions
• (†0 , ", †0 ) and (s̄, ", †0 ) for all s̄ 2 S0 , and
• (†1 , ", †1 ) and ((s, , 1), ", †1 ) for all s 2 S and @
· -maximal .
Definition 6.13. Let A = (S, ⌃, C,
of A is defined as the set
, ◆, F, ⇠) be an icTA. The reactive semantics
def
Lreact (A) = {w 2 ⌃⇤ | Player 0 has a winning strategy for w in G(A)} .
106
}
Example 6.14. Part of the game G(A) of the icTA A from Figure 6.1 on page 99
is depicted in Figure 6.5. Here, rounded states belong to Player 0, and rectangular
states belong to Player 1. We will argue that a is the only word for which Player
0 has a winning strategy in G(A). To accept a, Player 0 will go from r0 to r1
(which is the only possible choice). Player 1 will have to respond by moving to r2
whereupon Player 0 can conclude by going to the accepting configuration r3 , while
reading a. However, Player 0 does not have a winning strategy for ab: whatever
a-transition Player 0 will choose in r2 , Player 1 may go to r4 or, respectively, r5 ,
so that reading b is no longer possible. We deduce that Lreact (A) = {a}.
}
Theorem 6.15 ([ABG+ 14]). Let A be an icTA. Then, Lreact (A) is a regular
language that can be effectively represented as a finite automaton.
Proof (sketch). The reactive semantics Lreact (A) is the language of some alternating two-way automaton (over words). The automaton has existential transitions
(those taken by Player 0) and universal transitions (those taken by Player 1). The
fact that we need two-way transitions comes from the "-moves. More precisely, the
alternating two-way automaton does never go backward, but may stay at the same
position when taking a transition.
6.5 Perspectives
There is a an obvious difference between the model presented in this chapter and
those from Chapters 2, 3, and 5: The semantics of a system is defined in terms
of a word language, though we deal with a concurrent system. The main reason
is that a pure graph and the associated partial order do not necessarily reflect
causal dependencies when timing constraints come into play. There are some approaches to “marrying” the partial-order semantics and timed words (see, e.g.,
[BJLY98, LNZ05, BCH12]). Unfortunately, they are not directly applicable to our
setting, since time stamps are in a sense meaningless in icTAs, as explained at the
beginning of this chapter. However, since the partial-order approach is important
and convenient for specifications, this aspect should be investigated more closely.
It will also be worthwhile to study the realizability problem, which we did not tackle
for this timed case. In the distributed setting with several timed automata, the
problem may read as follows: given a regular language L and a process topology,
is there a distributed timed automaton A such that L9 (A) = L8 (A) = L? If the
answer is affirmative, then A may be seen as a robust implementation of L. Here,
the process topology will fix the set of processes and their reading capabilities such
as “clocks of p can be read by q” (in terms of guards). This framework is then
similar to [Gen05] where untimed message-passing systems have been studied.
107
108
CHAPTER
7
Conclusion
In this thesis, we conducted a study of automata models of concurrent programs,
covering systems of various kinds. Those may involve recursive procedure calls,
feature message-passing or shared-variable communication, and either come with a
static and fixed topology or involve an unbounded number of processes, be it in a
dynamic or parameterized setting. Our study was driven by applicability in formal
design and verification, which stands or falls with the robustness of the formalisms
considered. Whether an automata model is robust may be evaluated on the basis of
the following criteria: decidability of the emptiness problem, closure under boolean
operations, or existence of equivalent logical and algebraic characterizations. Not
only are those properties interesting from an algorithmic point of view, but they
also provide us with a deeper understanding of an automata class.
Unfortunately, even simple systems such as message-passing programs are inherently not robust: they have an undecidable emptiness problem and are not closed
under complementation. However, limiting the behavior in a nontrivial meaningful way allows us to recover those properties. In this thesis, we introduced some
automata models (and reviewed known ones in unifying frameworks) that turned
out to be robust under some natural behavioral restrictions:
• nested-trace automata as a model of concurrent recursive programs,
• parameterized communicating automata as a model of message-passing systems with static but unknown process topology, and
• session automata, which are models of sequential dynamic systems.
We showed that all these models have a decidable emptiness problem and are
expressively equivalent to monadic second-order logic when their behaviors are re109
stricted suitably to a bounded number of contexts or sessions, respectively. Moreover, we provided several decidability results for
• dynamic communicating automata, a model of message-passing systems with
dynamically evolving communication topology, and
• distributed timed automata, which reflect concurrent systems whose processes
communicate via independently evolving clocks.
Those results relied on different ideas. In the former case, we introduced a sufficient
criterion for implementability to get some decidability, whereas the latter model
came with natural under- and overapproximative semantics, though those were
quite different from the idea of bounding the number of contexts.
In the future, since more and more systems are designed for an open world, parameterized and dynamic systems are particularly worth being studied further.
Though they have indeed received increasing interest in recent years, there is,
by now, no canonical approach to modeling and verifying such systems. A longterm goal should, therefore, be a unifying theory that lays algebraic, logical, and
automata-theoretic foundations to support and facilitate the study of parameterized and dynamic concurrent systems. As we have seen, such theories indeed
exist in non-parameterized settings where the number of processes and the way
they are connected are fixed in advance. However, parameterized and dynamic
systems lack such foundations and often restrict to very particular models with
specialized verification techniques. This is especially true as far as algebraic approaches are concerned that may provide high-level expressions for parameterized
systems. Algebraic studies of languages over infinite alphabets can be found in
[BPT03, FK03, Boj13]. Algebraic approaches to nested-word languages have been
proposed in [Cyr10, BS12]. Though it is not clear how all those techniques fit into
the synthesis and verification of parameterized and dynamic systems, it will be
worthwhile to explore possible connections.
In addition, several extensions/variations of the notions from this thesis are worth
being studied:
• While we considered finite, terminating behaviors, the study of infinite structures would allow us to model reactive systems. There has been a lot of work
on such extensions for concurrent systems (e.g., [DM94, Mus94, DGP95,
Kus03, BK08]), and we believe that many of the results in this thesis go
through in an infinite setting with minor adjustments.
• A substantial change in direction would be to consider branching-time behavior instead of a linear-time semantics. Recall that we defined the semantics
of a system in terms of all (accepted) behaviors. As a consequence, a specification can only talk about one fixed behavior, but not about the branching
structure of a system. While the branching behavior of a sequential system
can be seen as a tree, that of a concurrent system is better reflected by an
event structure [WN95]. Though that setting is substantially more complicated, there have been positive model-checking results [Pen97, Mad03]. An
110
unresolved question is whether those results can be transferred to recursive,
dynamic, or parameterized systems. A starting point may be dynamic sequential systems (cf. Chapter 4) where a branching-time behavior is naturally
represented by a data tree [BMSS09]. Recursive systems, in turn, would give
rise to nested trees [ACM06].
• Models of concurrent systems that communicate with an (uncontrollable)
environment are usually dealt with in the context of distributed games and
distributed control/synthesis (cf. [SF07, GS13, GGMW13, MW14] for recent
advances). Note that there are also some intimate connections with the
above-mentioned branching-time setting [MTY05]. Parameterized synthesis
has been studied in [JB14], and it would be worthwhile to explore possible
extensions to a recursive or dynamic setting.
111
112
Bibliography
[AAB+ 08] R. Alur, M. Arenas, P. Barceló, K. Etessami, N. Immerman, and
L. Libkin. First-order and temporal logics for nested words. Logical
Methods in Computer Science, 4(11):1–44, 2008.
[ABG13] S. Akshay, B. Bollig, and P. Gastin. Event-clock message passing
automata: A logical characterization and an emptiness checking algorithm. Formal Methods in System Design, 42(3):262–300, 2013.
[ABG+ 14] S. Akshay, B. Bollig, P. Gastin, M. Mukund, and K. Narayan Kumar.
Distributed timed automata with independently evolving clocks. Fundamenta Informaticae, 130(4):377–407, 2014.
[ABH08] M. F. Atig, B. Bollig, and P. Habermehl. Emptiness of multipushdown automata is 2ETIME-complete. In DLT’08, volume 5257
of LNCS, pages 121–133. Springer, 2008.
[ABKS12] M. F. Atig, A. Bouajjani, K. Narayan Kumar, and P. Saivasan.
Linear-time model-checking for multithreaded programs under scopebounding. In ATVA’12, volume 7561 of LNCS, pages 152–166.
Springer, 2012.
[ABQ11] M. F. Atig, A. Bouajjani, and S. Qadeer. Context-bounded analysis
for concurrent programs with dynamic creation of threads. Logical
Methods in Computer Science, 7(4), 2011.
[ACM06] R. Alur, S. Chaudhuri, and P. Madhusudan. Languages of nested
trees. In CAV’06, volume 4144 of LNCS, pages 329–342. Springer,
2006.
[AD94] R. Alur and D. L. Dill. A theory of timed automata. Theoretical
Computer Science, 126(2):183–235, 1994.
113
[ADGS13] S. Akshay, I. Dinca, B. Genest, and A. Stefanescu. Implementing
realistic asynchronous automata. In FSTTCS’13, volume 24 of Leibniz International Proceedings in Informatics, pages 213–224. Schloss
Dagstuhl - Leibniz-Zentrum fuer Informatik, 2013.
[AEM04] R. Alur, K. Etessami, and P. Madhusudan. A temporal logic of nested
calls and returns. In TACAS’04, volume 2988 of LNCS, pages 467–
481. Springer, 2004.
[AEY05] R. Alur, K. Etessami, and M. Yannakakis. Realizability and verification of MSC graphs. Theoretical Computer Science, 331(1):97–114,
2005.
[AG14] C. Aiswarya and P. Gastin. Reasoning about distributed systems:
WYSIWYG. In FSTTCS’14, volume 29 of Leibniz International Proceedings in Informatics, pages 11–30. Leibniz-Zentrum für Informatik,
2014.
[AGNK14a] C. Aiswarya, P. Gastin, and K. Narayan Kumar. Controllers for
the verification of communicating multi-pushdown systems. In CONCUR’14, volume 8704 of LNCS, pages 297–311. Springer, 2014.
[AGNK14b] C. Aiswarya, P. Gastin, and K. Narayan Kumar. Verifying communicating multi-pushdown systems via split-width. In ATVA’14, volume
8837 of LNCS, pages 1–17. Springer, 2014.
[AHH13] P. A. Abdulla, F. Haziza, and L. Holík. All for the price of few. In
VMCAI’13, volume 7737 of LNCS, pages 476–495. Springer, 2013.
[AJ93] P. A. Abdulla and B. Jonsson. Verifying programs with unreliable
channels. In LICS’03, pages 160–170. IEEE Computer Society Press,
1993.
[AJKR14] B. Aminof, S. Jacobs, A. Khalimov, and S. Rubin. Parameterized
model checking of token-passing systems. In VMCAI’14, volume 8318
of LNCS, pages 262–281. Springer, 2014.
[AKR+ 14] B. Aminof, T. Kotek, S. Rubin, F. Spegni, and H. Veith. Parameterized model checking of rendezvous systems. In CONCUR’14, volume
8704 of LNCS, pages 109–124. Springer, 2014.
[AM09a] R. Alur and P. Madhusudan. Adding nesting structure to words.
Journal of the ACM, 56(3):1–43, 2009.
[AM09b] R. Alur and P. Madhusudan. Adding nesting structure to words.
Journal of the ACM, 56:1–43, 2009.
[Arm07] J. Armstrong. Programming Erlang: Software for a Concurrent
World. Pragmatic Bookshelf, 2007.
114
[Ati10] M. F. Atig. Global Model Checking of Ordered Multi-Pushdown Systems. In FSTTCS’10, volume 8 of Leibniz International Proceedings
in Informatics, pages 216–227. Leibniz-Zentrum für Informatik, 2010.
[BCCC96] L. Breveglieri, A. Cherubini, C. Citrini, and S. Crespi Reghizzi. Multipush-down languages and grammars. International Journal of Foundations of Computer Science, 7(3):253–292, 1996.
[BCGNK12] B. Bollig, A. Cyriac, P. Gastin, and K. Narayan Kumar. Model checking languages of data words. In FoSSaCS’12, volume 7213 of LNCS,
pages 391–405. Springer, 2012.
[BCGZ14] B. Bollig, A. Cyriac, P. Gastin, and M. Zeitoun. Temporal logics
for concurrent recursive programs: Satisfiability and model checking.
Journal of Applied Logic, 2014. To appear.
[BCH12] S. Balaguer, T. Chatain, and S. Haar. A concurrency-preserving
translation from time petri nets to networks of timed automata. Formal Methods in System Design, 40(3):330–355, 2012.
[BCH+ 13] B. Bollig, A. Cyriac, L. Hélouët, A. Kara, and T. Schwentick. Dynamic communicating automata and branching high-level MSCs. In
LATA’13, volume 7810 of LNCS, pages 177–189. Springer, 2013.
[BD13] K. Bansal and S. Demri. Model-checking bounded multi-pushdown
systems. In CSR’13, volume 7913 of LNCS, pages 405–417. Springer,
2013.
[BDM+ 11] M. Bojanczyk, C. David, A. Muscholl, T. Schwentick, and L. Segoufin.
Two-variable logic on data words. ACM Trans. Comput. Log.,
12(4):27, 2011.
[BET03] A. Bouajjani, J. Esparza, and T. Touili. A generic approach to the
static analysis of concurrent programs with procedures. International
Journal on Foundations of Computer Science, 14(4):551–582, 2003.
[BGH09] B. Bollig, M.-L. Grindei, and P. Habermehl. Realizability of concurrent recursive programs. In FoSSaCS’09, volume 5504 of LNCS, pages
410–424. Springer, 2009.
[BGK14] B. Bollig, P. Gastin, and A. Kumar. Parameterized communicating
automata: Complementation and model checking. In FSTTCS’14,
volume 29 of Leibniz International Proceedings in Informatics, pages
625–637. Leibniz-Zentrum für Informatik, 2014.
[BGP08] J. Borgström, A. Gordon, and A. Phillips. A chart semantics for
the Pi-calculus. Electronic Notes in Theoretical Computer Science,
194(2):3–29, 2008.
115
[BGS14] B. Bollig, P. Gastin, and J. Schubert. Parameterized verification of
communicating automata under context bounds. In RP’14, volume
8762 of LNCS, pages 45–57. Springer, 2014.
[BHLM14] B. Bollig, P. Habermehl, M. Leucker, and B. Monmege. A robust class
of data languages and an application to learning. Logical Methods in
Computer Science, 2014.
[BHR06] P. Bouyer, S. Haddad, and P.-A. Reynier. Timed unfoldings for networks of timed automata. In ATVA’06, volume 4218 of LNCS, pages
292–306. Springer, 2006.
[BJLY98] J. Bengtsson, B. Jonsson, J. Lilius, and W. Yi. Partial order reductions for timed systems. In CONCUR’98, volume 1466 of LNCS,
pages 485–500. Springer, 1998.
[BK08] B. Bollig and D. Kuske. Muller message-passing automata and logics.
Information and Computation, 206(9-10):1084–1094, 2008.
[BK12] B. Bollig and D. Kuske. An optimal construction of Hanf sentences.
Journal of Applied Logic, 10(2):179–186, 2012.
[BKM10] B. Bollig, D. Kuske, and I. Meinecke. Propositional dynamic logic
for message-passing systems. Logical Methods in Computer Science,
6(3:16), 2010.
[BKM13] B. Bollig, D. Kuske, and R. Mennicke. The complexity of model checking multi-stack systems. In LICS’13, pages 163–170. IEEE Computer
Society Press, 2013.
[BL06] B. Bollig and M. Leucker. Message-passing automata are expressively
equivalent to EMSO logic. Theoretical Computer Science, 358(2):150–
172, 2006.
[BL10] M. Bojańczyk and S. Lasota. An extension of data automata that
captures XPath. In LICS’10, pages 243–252. IEEE Computer Society
Press, 2010.
[BMSS09] M. Bojańczyk, A. Muscholl, T. Schwentick, and L. Segoufin. Twovariable logic on data trees and applications to XML reasoning. Journal of the ACM, 56(3), 2009.
[Boj13] M. Bojanczyk. Nominal monoids. Theory of Computing Systems,
53(2):194–222, 2013.
[Bol08] B. Bollig. On the expressive power of 2-stack visibly pushdown automata. Logical Methods in Computer Science, 4(4:16), 2008.
[Bol11] B. Bollig. An automaton over data words that captures EMSO logic.
In CONCUR’11, volume 6901 of LNCS, pages 171–186. Springer,
2011.
116
[Bol14] B. Bollig. Logic for communicating automata with parameterized
topology. In CSL-LICS’14. ACM Press, 2014.
[BPT03] P. Bouyer, A. Petit, and D. Thérien. An algebraic approach to
data languages and timed languages. Information and Computation,
182(2):137–162, 2003.
[BS10] H. Björklund and T. Schwentick. On notions of regularity for data
languages. Theoretical Computer Science, 411(4-5):702–715, 2010.
[BS12] L. Bozzelli and C. Sánchez. Visibly Rational Expressions. In
FSTTCS’12, volume 18 of Leibniz International Proceedings in Informatics, pages 211–223. Leibniz-Zentrum für Informatik, 2012.
[BS14] L. Bozzelli and C. Sánchez. Visibly linear temporal logic. In IJCAR’14, volume 8562 of LNCS, pages 418–433. Springer, 2014.
[Büc60] J. Büchi. Weak second order logic and finite automata. Z. Math.
Logik, Grundlag. Math., 5:66–62, 1960.
[BZ83] D. Brand and P. Zafiropulo. On communicating finite-state machines.
Journal of the ACM, 30(2), 1983.
[CCJ06] F. Cassez, T. Chatain, and C. Jard. Symbolic unfoldings for networks
of timed automata. In ATVA’06, volume 4218 of LNCS, pages 307–
321. Springer, 2006.
[CDK10] J. Chalopin, S. Das, and A. Kosowski. Constructing a map of
an anonymous graph: Applications of universal sequences. In
OPODIS’10, volume 6490 of LNCS, pages 119–134. Springer, 2010.
[CE81] E. M. Clarke and E. A. Emerson. Design and synthesis of synchronization skeletons using branching time temporal logic. In Proceedings
of the Workshop on Logics of Programs, volume 131 of LNCS, pages
52–71. Springer, 1981.
[CGNK12] A. Cyriac, P. Gastin, and K. Narayan Kumar. MSO decidability of
multi-pushdown systems via split-width. In CONCUR’12, volume
7454 of LNCS, pages 547–561. Springer, 2012.
[CHJ+ 11] S. Cassel, F. Howar, B. Jonsson, M. Merten, and B. Steffen. A succinct canonical register automaton model. In ATVA’11, volume 6996
of LNCS, pages 366–380. Springer, 2011.
[CLP11] T. Colcombet, C. Ley, and G. Puppis. On the use of guards for
logics with data. In MFCS’11, volume 6907 of LNCS, pages 243–255.
Springer, 2011.
[Cyr10] A. Cyriac. Temporal logics for concurrent recursive programs. Rapport de Master, Master Parisien de Recherche en Informatique, Paris,
France, 2010.
117
[Cyr14] A. Cyriac. Verification of Communicating Recursive Programs via
Split-width. PhD thesis, Laboratoire Spécification et Vérification,
ENS Cachan, 2014.
[DDMR04] M. De Wulf, L. Doyen, N. Markey, and J.-F. Raskin. Robustness and
implementability of timed automata. In FORMATS and FTRTFT,
volume 3253 of LNCS, pages 118–133. Springer, 2004.
[DG02] V. Diekert and P. Gastin.
LTL is expressively complete for
Mazurkiewicz traces. Journal of Computer and System Sciences,
64(2):396–418, 2002.
[DG06] V. Diekert and P. Gastin. Pure future local temporal logics are expressively complete for Mazurkiewicz traces. Information and Computation, 204(11):1597–1619, 2006.
[DGP95] V. Diekert, P. Gastin, and A. Petit. Rational and recognizable complex trace languages. Information and Computation, 116(1):134–153,
1995.
[DL07] C. Dima and R. Lanotte. Distributed time-asynchronous automata.
In ICTAC’07, volume 4711 of LNCS, pages 185–200. Springer, 2007.
[DL09] S. Demri and R. Lazić. LTL with the freeze quantifier and register
automata. ACM Transactions on Computational Logic, 10(3), 2009.
[DM94] V. Diekert and A. Muscholl. Deterministic asynchronous automata
for infinite traces. Acta Informatica, 31(4):379–397, 1994.
[DR95] V. Diekert and G. Rozenberg, editors. The Book of Traces. World
Scientific, Singapore, 1995.
[DST13] G. Delzanno, A. Sangnier, and R. Traverso. Parameterized verification of broadcast networks of register automata. In RP’13, volume
8169 of LNCS, pages 109–121. Springer, 2013.
[DSZ10] G. Delzanno, A. Sangnier, and G. Zavattaro. Parameterized verification of ad hoc networks. In CONCUR’10, volume 6269 of LNCS.
Springer, 2010.
[DSZ11] G. Delzanno, A. Sangnier, and G. Zavattaro. On the power of cliques
in the parameterized verification of ad hoc networks. In FoSSaCS’11,
volume 6604 of LNCS, pages 441–455. Springer, 2011.
[EGM13] J. Esparza, P. Ganty, and R. Majumdar. Parameterized verification
of asynchronous shared-memory systems. In CAV’13, volume 8044 of
LNCS, pages 124–140. Springer, 2013.
[EK04] E. A. Emerson and V. Kahlon. Parameterized model checking of ringbased message passing systems. In CSL’04, volume 3210 of LNCS,
pages 325–339. Springer, 2004.
118
[Elg61] C. C. Elgot. Decision problems of finite automata design and related arithmetics. Transactions of the American Mathematical Society, 98:21–52, 1961.
[EN03] E. A. Emerson and K. S. Namjoshi. On reasoning about rings. International Journal of Foundations of Computer Science, 14(4):527–550,
2003.
[Esp14] J. Esparza. Keeping a crowd safe: On the complexity of parameterized
verification. In STACS’14, volume 25 of Leibniz International Proceedings in Informatics, pages 1–10. Leibniz-Zentrum für Informatik,
2014.
[Fig10] D. Figueira. Reasoning on Words and Trees with Data. PhD thesis,
Laboratoire Spécification et Vérification, ENS Cachan, 2010.
[FK03] N. Francez and M. Kaminski. An algebraic characterization of deterministic regular languages over infinite alphabets. Theoretical Computer Science, 306(1-3):155–175, 2003.
[Gen05] B. Genest. On implementation of global concurrent systems with local
asynchronous controllers. In CONCUR’05, volume 3653 of LNCS,
pages 443–457. Springer, 2005.
[GGMW10] B. Genest, H. Gimbert, A. Muscholl, and I. Walukiewicz. Optimal
zielonka-type construction of deterministic asynchronous automata.
In ICALP’10, volume 6199 of LNCS, pages 52–63. Springer, 2010.
[GGMW13] B. Genest, H. Gimbert, A. Muscholl, and I. Walukiewicz. Asynchronous games over tree architectures. In ICALP’13, volume 7966
of LNCS, pages 275–286. Springer, 2013.
[GHR94] D. M. Gabbay, I. Hodkinson, and M. A. Reynolds. Temporal Logic:
Mathematical Foundations and Computational Aspects, vol. 1. Oxford
University Press, 1994.
[GK07] P. Gastin and D. Kuske. Uniform satisfiability in PSPACE for local
temporal logics over Mazurkiewicz traces. Fundamenta Informaticae,
80(1-3):169–197, 2007.
[GK10] P. Gastin and D. Kuske. Uniform satisfiability problem for local temporal logics over Mazurkiewicz traces. Information and Computation,
208(7):797–816, 2010.
[GKM06] B. Genest, D. Kuske, and A. Muscholl. A Kleene theorem and
model checking algorithms for existentially bounded communicating
automata. Information and Computation, 204(6):920–956, 2006.
[GKM07] B. Genest, D. Kuske, and A. Muscholl. On communicating automata
with bounded channels. Fundamenta Informaticae, 80(1-3):147–167,
2007.
119
[GL08] O. Grinchtein and M. Leucker. Network invariants for real-time systems. Formal Aspects of Computing, 20(6):619–635, 2008.
[GM06] B. Genest and A. Muscholl. Constructing exponential-size deterministic Zielonka automata. In ICALP’06, volume 4052 of LNCS, pages
565–576. Springer, 2006.
[GMP03] E. Gunter, A. Muscholl, and D. Peled. Compositional message sequence charts. International Journal on Software Tools and Technology Transfer (STTT), 5(1):78–89, 2003.
[GMSZ06] B. Genest, A. Muscholl, H. Seidl, and M. Zeitoun. Infinite-state highlevel MSCs: Model-checking and realizability. Journal of Computer
and System Sciences, 72(4):617–647, 2006.
[GS13] P. Gastin and N. Sznajder. Fair synthesis for asynchronous distributed systems. ACM Transactions on Computational Logic,
14(2:9), 2013.
[GW10] S. Grumbach and Z. Wu. Logical locality entails frugal distributed
computation over graphs (extended abstract). In WG’09, volume
5911 of LNCS, pages 154–165. Springer, 2010.
[Han65] W. Hanf. Model-theoretic methods in the study of elementary logic.
In J. W. Addison, L. Henkin, and A. Tarski, editors, The Theory of
Models. North-Holland, Amsterdam, 1965.
[HJJ+ 95] J. G. Henriksen, J. L. Jensen, M. E. Jørgensen, N. Klarlund, R. Paige,
T. Rauhe, and A. Sandholm. Mona: Monadic second-order logic
in practice. In TACAS’95, volume 1019 of LNCS, pages 89–110.
Springer, 1995.
[HLMS12] A. Heußner, J. Leroux, A. Muscholl, and G. Sutre. Reachability
analysis of communicating pushdown systems. Logical Methods in
Computer Science, 8(3:23):1–20, 2012.
[HMK+ 05] J. G. Henriksen, M. Mukund, K. Narayan Kumar, M. Sohoni, and
P. S. Thiagarajan. A theory of regular MSC languages. Information
and Computation, 202(1):1–38, 2005.
[Hol03] G. Holzmann. The Spin Model Checker: Primer and Reference Manual. Addison-Wesley Professional, 2003.
[JB14] S. Jacobs and R. Bloem. Parameterized synthesis. Logical Methods
in Computer Science, 10(1), 2014.
[Kam68] H. Kamp. Tense Logic and the Theory of Linear Order. PhD thesis,
University of California, Los Angeles, 1968.
[KF94] M. Kaminski and N. Francez. Finite-memory automata. Theoretical
Computer Science, 134(2):329–363, 1994.
120
[KST12] A. Kara, T. Schwentick, and T. Tan. Feasible automata for twovariable logic with successor on data words. In LATA’12, volume
7183 of LNCS, pages 351–362. Springer, 2012.
[Kus03] D. Kuske. Regular sets of infinite message sequence charts. Information and Computation, 187:80–109, 2003.
[KZ10] M. Kaminski and D. Zeitlin. Finite-memory automata with nondeterministic reassignment. International Journal of Foundations of
Computer Science, 21(5):741–760, 2010.
[Lib04] L. Libkin. Elements of Finite Model Theory. Springer, 2004.
[LM04] M. Lohrey and A. Muscholl. Bounded MSC Communication. Information and Computation, 189(2):160–181, 2004.
[LMM02] M. Leucker, P. Madhusudan, and S. Mukhopadhyay. Dynamic message sequence charts. In FSTTCS 2002, volume 2556 of LNCS, pages
253–264. Springer, 2002.
[LMP07] S. La Torre, P. Madhusudan, and G. Parlato. A robust class of
context-sensitive languages. In LICS’07, pages 161–170. IEEE Computer Society Press, 2007.
[LMP08a] S. La Torre, P. Madhusudan, and G. Parlato. Context-bounded analysis of concurrent queue systems. In Proceedings of TACAS’08, volume
4963 of LNCS, pages 299–314. Springer, 2008.
[LMP08b] S. La Torre, P. Madhusudan, and G. Parlato. An infinite automaton
characterization of double exponential time. In CSL’08, volume 5213
of LNCS, pages 33–48. Springer, 2008.
[LMP10a] S. La Torre, P. Madhusudan, and G. Parlato. The language theory
of bounded context-switching. In LATIN’08, volume 6034 of LNCS,
pages 96–107. Springer, 2010.
[LMP10b] S. La Torre, P. Madhusudan, and G. Parlato. Model-checking parameterized concurrent programs using linear interfaces. In CAV’10,
volume 6174 of LNCS, pages 629–644. Springer, 2010.
[LN11] S. La Torre and M. Napoli. Reachability of multistack pushdown
systems with scope-bounded matching relations. In CONCUR’11,
volume 6901 of LNCS, pages 203–218. Springer, 2011.
[LNP14a] S. La Torre, M. Napoli, and G. Parlato. Scope-bounded pushdown languages. In DLT’14, volume 8633 of LNCS, pages 116–128.
Springer, 2014.
[LNP14b] S. La Torre, M. Napoli, and G. Parlato. A unifying approach for
multistack pushdown automata. In MFCS’14, volume 8634 of LNCS,
pages 377–389. Springer, 2014.
121
[LNZ05] D. Lugiez, P. Niebert, and S. Zennou. A partial order semantics approach to the clock explosion problem of timed automata. Theoretical
Computer Science, 345(1):27–59, 2005.
[LP12] S. La Torre and G. Parlato. Scope-bounded Multistack Pushdown Systems: Fixed-Point, Sequentialization, and Tree-Width. In
FSTTCS’12, volume 18 of Leibniz International Proceedings in Informatics, pages 173–184. Leibniz-Zentrum für Informatik, 2012.
[LPY95] K. G. Larsen, P. Pettersson, and W. Yi. Compositional and symbolic
model-checking of real-time systems. In RTSS’95, pages 76–89. IEEE
Computer Society Press, 1995.
[LST95] C. Lautemann, T. Schwentick, and D. Thérien. Logics for context-free
languages. In CSL’94, volume 933 of LNCS, pages 205–216. Springer,
1995.
[LTKR08] A. Lal, T. Touili, N. Kidd, and T. W. Reps. Interprocedural analysis
of concurrent programs under a context bound. In TACAS’08, volume
4963 of LNCS, pages 282–298. Springer, 2008.
[LTN12] S. La Torre and M. Napoli. A temporal logic for multi-threaded
programs. In IFIP-TCS’12, volume 7604 of LNCS, pages 225–239.
Springer, 2012.
[LW00] K. Lodaya and P. Weil. Series-parallel languages and the boundedwidth property. Theoretical Computer Science, 237(1-2):347 – 380,
2000.
[LW01] K. Lodaya and P. Weil. Rationality in algebras with a series operation.
Information and Computation, 171(2):269 – 293, 2001.
[Mad01] P. Madhusudan. Reasoning about sequential and branching behaviours of message sequence graphs. In ICALP’01, volume 2076
of LNCS, pages 809–820. Springer, 2001.
[Mad03] P. Madhusudan. Model-checking trace event structures. In LICS’03,
pages 371–380. IEEE Computer Society Press, 2003.
[Men14] R. Mennicke. Model checking concurrent recursive programs using
temporal logics. In MFCS’14, volume 8634 of LNCS, pages 438–450.
Springer, 2014.
[Mey08] R. Meyer. On boundedness in depth in the ⇡-calculus. In IFIP
TCS’08, volume 273 of IFIP, pages 477–489. Springer, 2008.
[MM01] P. Madhusudan and B. Meenakshi. Beyond message sequence graphs.
In FSTTCS 2001, volume 2245 of LNCS, pages 256–267. Springer,
2001.
122
[MMP13] A. Manuel, A. Muscholl, and G. Puppis. Walking on data words. In
CSR’13, volume 7913 of LNCS, pages 64–75. Springer, 2013.
[MP11] P. Madhusudan and G. Parlato. The tree width of auxiliary storage.
In POPL’11, pages 283–294. ACM, 2011.
[MST02] O. Matz, N. Schweikardt, and W. Thomas. The monadic quantifier
alternation hierarchy over grids and graphs. Information and Computation, 179(2):356–383, 2002.
[MTY05] P. Madhusudan, P. S. Thiagarajan, and S. Yang. The MSO theory of
connectedly communicating processes. In FSTTCS’05, volume 3821
of LNCS, pages 201–212. Springer, 2005.
[Mus94] A. Muscholl. Über die Erkennbarkeit unendlicher Spuren. PhD thesis,
Institut für Informatik, Universität Stuttgart, 1994.
[MW14] A. Muscholl and I. Walukiewicz. Distributed Synthesis for Acyclic
Architectures. In FSTTCS’14, volume 29 of Leibniz International
Proceedings in Informatics, pages 639–651. Leibniz-Zentrum für Informatik, 2014.
[NSV04] F. Neven, T. Schwentick, and V. Vianu. Finite state machines for
strings over infinite alphabets. ACM Transactions on Computational
Logic, 5(3):403–435, 2004.
[Och95] E. Ochmański. Recognizable Trace Languages. In Diekert and Rozenberg [DR95], chapter 6, pages 167–204.
[Pen97] W. Penczek. Model-checking for a subclass of event structures. In
TACAS’97, volume 1217 of LNCS, pages 145–164. Springer, 1997.
[PR79] G. Peterson and J. Reif. Multiple-person alternation. In FOCS’79,
pages 348–363. IEEE Computer Society Press, 1979.
[PRA01] G. Peterson, J. Reif, and S. Azhar. Lower bounds for multiplayer noncooperative games of incomplete information. Computers & Mathematics with Applications, 41:957–992, 2001.
[Pur00] A. Puri. Dynamical properties of timed automata. Discrete Event
Dynamic Systems, 10(1-2):87–113, 2000.
[PWW98] D. Peled, Th. Wilke, and P. Wolper. An algorithmic approach
for checking closure properties of temporal logic specifications and
omega-regular languages. Theoretical Computer Science, 195(2):183–
203, 1998.
[QR05] S. Qadeer and J. Rehof. Context-bounded model checking of concurrent software. In TACAS’05, volume 3440 of LNCS, pages 93–107.
Springer, 2005.
123
[QS82] J. P. Queille and J. Sifakis. Specification and verification of concurrent
systems in CESAR. In International Symposium on Programming,
volume 137 of LNCS, pages 337–351. Springer, 1982.
[Ram00] G. Ramalingam. Context-sensitive synchronization-sensitive analysis
is undecidable. ACM Transactions on Programming Languages and
Systems, 22(2):416–430, 2000.
[SB99] T. Schwentick and K. Barthelmann. Local normal forms for first-order
logic with applications to games and automata. Discrete Mathematics
& Theoretical Computer Science, 3(3):109–124, 1999.
[Seg06] L. Segoufin. Automata and logics for words and trees over an infinite
alphabet. In CSL’06, volume 4207 of LNCS, pages 41–57. Springer,
2006.
[SEM03] A. Stefanescu, J. Esparza, and A. Muscholl. Synthesis of distributed
algorithms using asynchronous automata. In CONCUR’03, volume
2761 of LNCS, pages 27–41. Springer, 2003.
[SF07] S. Schewe and B. Finkbeiner. Semi-automatic distributed synthesis. International Journal of Foundations of Computer Science,
18(1):113–138, 2007.
[SFK08] M. Swaminathan, M. Fränzle, and J.-P. Katoen. The surprising robustness of (closed) timed automata against clock-drift. In IFIPTCS’08, volume 273 of IFIP, pages 537–553. Springer, 2008.
[Tho90] W. Thomas. On logical definability of trace languages. In Proceedings
of Algebraic and Syntactic Methods in Computer Science (ASMICS),
Report TUM-I9002, Technical University of Munich, pages 172–182,
1990.
[Tho96] W. Thomas. Elements of an automata theory over partial orders. In
POMIV’96, volume 29 of DIMACS. AMS, 1996.
[Tho97] W. Thomas. Languages, automata and logic. In A. Salomaa and
G. Rozenberg, editors, Handbook of Formal Languages, volume 3,
pages 389–455. Springer, 1997.
[Tra62] B. A. Trakhtenbrot. Finite automata and monadic second order logic.
Siberian Math. J, 3:103–131, 1962. In Russian; English translation in
Amer. Math. Soc. Transl. 59, 1966, 23–55.
[TW97] P. S. Thiagarajan and I. Walukiewicz. An expressively complete linear
time temporal logic for Mazurkiewicz traces. In LICS’97, pages 183–
194. IEEE Computer Society Press, 1997.
[Tze11] N. Tzevelekos. Fresh-register automata. In POPL’11, pages 295–306.
ACM, 2011.
124
[WN95] G. Winskel and M. Nielsen. Models for concurrency. In Handbook of
Logic in Computer Science (Vol. 4), pages 1–148. Oxford University
Press, 1995.
[Zie87] W. Zielonka. Notes on finite asynchronous automata. R.A.I.R.O. —
Informatique Théorique et Applications, 21:99–135, 1987.
125
126
Index
alphabet, 15
finite, 15
infinite, 15
ranked, 80
automaton
asynchronous, 29
branching, 93
class memory (CMA), 70
class register (CRA), 68
data, 72
fresh-register (FRA), 61
nested-trace (NTA), 28
nested-word (NWA), 19
register (RA), 62
session (SA), 62
timed, 96
Zielonka, 29
context, 21
data language, 62
data word, 59
symbolic, 64
well-formed symbolic, 64
dependence relation, 30
distributed alphabet, 18
domain, 15
executable, 89
game, 105
implementable, 86
independence relation, 30
interface name, 40
Mazurkiewicz trace, 3, 29
message sequence chart (MSC), 3
message sequence graph (MSG), 87
message sequence chart (MSC), 42
(k, ct)-bounded, 45
k-bounded, 44
branching high-level, 93
dynamic, 81
linearization of, 44
partial, 80
model checking, 2
MSO logic
over dynamic MSCs, 91
clock region, 100
clock valuation, 96
closed, 82
communicating automaton (CA), 46
dynamic (DCA), 82
fixed-topology, 47
parameterized (PCA), 49
weak parameterized, 50
communication structure, 90
concatenation, 87
concretization, 64
127
over
over
over
over
MSCs, 47, 50
nested traces, 33
nested words, 23
topologies, 49
guarded, 92
representation, 32
restriction, 22
semantics
existential, 98
reactive, 106
universal, 98
series-parallel pomset, 93
specification, 5
nested trace, 27
linearization of, 29
nested word, 18
k-context, 21
k-phase, 21
k-scope, 21
ordered, 22
phase, 21
Post’s correspondence problem, 102
process identifier (pid), 79, 80
realizability, 2
realizable, 86
register message sequence graph (rMSG),
87
executable, 89
128
temporal logic over nested words, 35
topology, 41
grid, 42
pipeline, 41
ring, 42
ring forest, 42
tree, 42
transition label, 61
word, 15
empty, 15